Building an MVC5 intranet application that is using Windows Authentication.
I want to use the builtin roleManager to add roles to existing users. If I attempt to create a user, say AD\Username and add him the to Admin user role, I can do this just fine and Asp .Net Identity builds out and stores that information in the database.
However, I using [Authorize(Roles = "Admin")] on any particular controller action will not give me access to that page. It's as if there is no link between AD\Username and my AD user.
Is this built in to work with Asp .Net Identity? Or do I need to do some heavy customization? This seems fairly straightforward.
Thanks for the help!
Related
I want to create a Site using MVC .net core 3.0 and I'd like to use Identity but I need the users to be save not in SQL but in a service we already have for administering users, and I can query using a Rest Service.
What I need is when an user logins, instead of reading from EF and SQL I need to go to this other Service and check there if the user and password are correct.
I want to keep protecting the rest of the pages using the [Authorize] attribute once an user logs in.
Is there a way to change this behavior in .net core Identity?,
Thanks for any comments!
using framework asp.net core - on .net core MVC jquery
In the account controller, I am attempting to obtain the user currently logged in to that machine on an intranet network. ie the windows authenticated user.
If I try WindowsIdentity.GetCurrent() is just returns the identity of the application pool. not what I need.
I have anonymous turned off and windows auth turned on in both the launchsettings.json and the IIS settings.
I understand that the identity middleware for abp framework I'm using is table based so the Controllers 'User' property is not what I need either.
I am wondering whether this is a limitation of the .net core?
You need to disable Anonymous Authentication and enable Windows Authentication for a specific page like Login page. This way, you say the Login page requires NTLM. So browser sends authenticated user information. And you can retrieve it with HttpContext.User.Identity.Name
Then there's next challenge! Authenticating this user with ABP. For this one, you can check out this StackOverflow post.
Am I mad?
I can create authentication providers using OWIN and ASP.Net Identity for Facebook, google, etc. But I have a requirement to authenticate my users against Windows. I'd rather not require the configuration of AD, or to tell IIS what Domain to authenticate against; I just want the IIS to authenticate as if the settings was Windows Authentication in the Web config.
But then I want to be able to get roles and user details. I want Roles in SQL Server. I also require the user first and last name, which are not directly available from windows auth).
In the past I have done this with a mixed authentication middleware, and grabbed the user details from the principle context when creating the user, store that in SQL, and in the authentication cookie. but this seems a bit of overkill here.
Has anyone succesfully used basic Windows Authentication but held roles and first/last name in sql?
thanks
Yes, you can use Windows authentication with ASP.NET and IIS.
This article, should be a good start.
You can then store users and their AD groups in the application, and manage access based on that mapping.
I was thinking about writing my own MembershipProvider for my web app. People won't normally register but will be supplied with login info. Will membership then not be the right thing?
I still will have some roles and such as well and I might wan't to be able for people to Authenticate using ClientCertificate instead of normal login. I still wan't them to be membership verified (there is a identifiable field in Certificate and Database I could use) and use roles and such.
Is MembershipProvider perhaps only used with original login Authentication and not authorization?
There doesn't seem to happen anything special when a user is validated so hwo does the authorization atrtibute know who is autorized?
The existing membership works just fine if you want to supply login info. There is no requirement that user registration be initiated by the user. Just take the standard code and let the site administrator run it.
Yes, membership is just for authentication. The out of the box feature for authorization is the roles feature.
I am getting user roles from Active Directory and I am binding the same roles to ASP.NET Membership Roles.
I want to control the display for the various Views in Controller by using
[Authorize(roles="Admin")]
But Which ever role I specify, The View just doesn't display. If I take out the [Authorize(roles="Admin")] it works.
Does Authorize uses ASP.NET Membership roles? if so, Why I am getting this error?
Am I missing anything? Any Ideas?
Thank you
IIRC if you use AD roles it works with groups and you need to specify the domain:
[Authorize(Roles = #"MYDOMAIN\SomeDomainGroup")]
Now if the user accessing the site belongs on the given AD group he will be granted access.
Assuming you are using the VS built in server and you are getting a blank page - the built in development server will display a blank page instead of prompting for credentials.
Buried way down in a note on this page
Note:
If you are using the Visual Studio Development server, you are not prompted for credentials and you see only a blank page.