c# - ASP.NET Core Authorize AD Groups through web.config

Question

In my old .NET MVC app, I could enable Windows Authentication in IIS and disable anonymous. Then in my web.config file I just had to put in this:

<authorization> 
  <allow roles="DomainMyADGroupToHaveAccess" />
  <deny users="*" /> 
</authorization> 

In .NET Core 2.0 this will not work – it denies anonymous correctly, but it authorizes all users no matter what.

If I do this:

[Authorize(Roles = "Domain\MyADGroupToHaveAccess")]

on my HomeController, it works, but I don't want to hardcode this setting in my project as it's something that needs to be changed for other environments.

How can I make web.config to work with AD Authorization? Or is there another way to not hardcode this setting in ASP.NET Core?

Answer 1

I solved this by making it into a policy which is able to call appsettings.json. This way other people who have access to the server can then edit the group to their own.

In Startup.cs:

services.AddAuthorization(options =>
{
    options.AddPolicy("ADRoleOnly", policy => policy.RequireRole(Configuration["SecuritySettings:ADGroup"]));
});

services.AddMvc(config =>
{
    var policy = new AuthorizationPolicyBuilder()
        .RequireAuthenticatedUser()
        .Build();

    config.Filters.Add(new AuthorizeFilter(policy));
});

In appsettings.json (or perhaps appsettings.production.json if you have different):

"SecuritySettings": {
  "ADGroup": "YourDomain\YourADGroup"
}

In your controllers you can then decorate it with this attribute:

[Authorize(Policy = "ADRoleOnly")]

Hope this can help other people

I have still to figure out how to apply this policy globally, so I don't have to authorize every controller, I'd figure it can be done in the services.AddMvc somehow?