How can I securely ensure the current user belongs to an Active Directory Group?

Question

I am creating a C# Winform Application which will be used in a corporate domain (Windows Active Directory). The app is to behave as the following:

1. When a user opens the App, the App checks if the current user is part of an Active Directory group.
2. If it is, the app then allows the user to use the app.

From google searches, I found several ways how to check if a user is part of an Active Directory group. For example in the link here => How to check if a user belongs to an AD group?

My concern is the security part of this. What if someone spoofs a username and domain. He won't need to know the password to allow access to the app.

Answer 1

Don't do a look up. The SID of every group the user is a member of (recursively) is part of the user's login token. So you can just use WindowsPrincipal.IsInRole(). If you only have the name of the group, you can give it that:

var currentUser = new WindowsPrincipal(WindowsIdentity.GetCurrent());
currentUser.IsInRole("SomeGroup")

That translates the name into the SID and checks the login token for that SID. That requires a network request. If you can give it the SID of the group instead, then you can save that network request:

var groupSid = new SecurityIdentifier("S-1-5-21-blah");
currentUser.IsInRole(groupSid)