Menu
I have an ASP.NET Core 3.0 application that works with local Intranet Windows Authentication to identify logged in users. Using the standard Windows Authentication behaviors I'm able to capture the user's WindowsIdentity without an issue.
However, depending on how the user is logged into the browser using either automatic Intranet Browser login (ie. no password dialog) or explicitly logging in using the browser Password dialog box, I get different results for the user's groups.
The following is an API request that echos back user information including a filtered group membership list (that excludes built-in accounts). The one on the left is a manual login, the one on the right an auto-login.
For the explicit login I correctly see all the custom groups the user is part of. However, for the auto-login, those same groups do not show up:
I also took a close look at the User and Identity instances on the server, and it's referencing the exact same SIDs for the user, so it seems strange that different results are being returned for the Group Membership.
Any ideas why the group list is different when I am getting the same account returned? Note the groups are local so it shouldn't be an issue due to domain access.
Note: I'm testing locally on localhost even, and to test this I set the Windows Proxy Settings here:
With the checkboxes off I'm forced to login. With them on (in Chromium browsers anyway) I have to explicitly enter my credentials into the browser's login dialog.
277
Windows Authentication is used to authenticate users in ASP.NET Core application with the help of the operating system and Authorization helps us to restrict the access of applications based on the role of the user. Windows Authentication is very useful in intranet applications where users are in the same domain.
Select File >> New >> select ASP.NET Core Web Application, and change the authentication to Windows Authentication. We can also configure the existing application for Windows Authentication by selecting the option of WA. To configure the authentication manually, open Visual Studio project properties >> go to Debug tab.
a) To create a web api project in windows authentication mode, follow below steps: After choosing ASP.Net Web Application, select Web API template and from the right side click Change Authentication button and select Windows Authentication.
Windows-based authentication is manipulated between the Windows server and the client machine. The ASP.NET applications resides in Internet Information Server (IIS). Any user's web request goes directly to the IIS server and it provides the authentication process in a Windows-based authentication model.
Has the user logged out of their computer since being added to those groups?
The groups listed are held in the user's login token. I think what might be happening is that auto-login sends the user's existing login token (created when they logged into Windows), so it would not contain any groups that they've been added to since they last logged in.
Manually entering the username and password performs a new login, and thus gets a brand new token with all the groups at the time of the login. So new groups will show up there.
191
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
