I can't get my Blazor Server app to honour AD Group membership, I can get it to read my User ID so I assume NTLM is working but it doesn't seem to recognise me as being in a group.
I've tried IIS and IIS Express
launchSettings.json
{
"iisSettings": {
"windowsAuthentication": true,
"anonymousAuthentication": false,
"iisExpress": {
"applicationUrl": "http://localhost:58855",
"sslPort": 44394
}
},
"profiles": {
"IIS Express": {
"commandName": "IISExpress",
"launchBrowser": true,
"environmentVariables": {
"ASPNETCORE_ENVIRONMENT": "Development"
}
},
"AppName": {
"commandName": "Project",
"dotnetRunMessages": "true",
"launchBrowser": true,
"applicationUrl": "https://localhost:5001;http://localhost:5000",
"environmentVariables": {
"ASPNETCORE_ENVIRONMENT": "Development"
}
}
}
}
Startup.cs
public class Startup
{
public Startup(IConfiguration configuration)
{
Configuration = configuration;
}
public IConfiguration Configuration { get; }
public void ConfigureServices(IServiceCollection services)
{
services.AddRazorPages();
services.AddServerSideBlazor();
services.AddHttpContextAccessor();
services.AddAuthentication(IISDefaults.AuthenticationScheme);
services.AddAuthorization(options =>
{
options.AddPolicy("ADRoleOnly", policy => policy.RequireRole("DOMAIN\\GroupName"));
});
}
public void Configure(IApplicationBuilder app, IWebHostEnvironment env, ILoggerFactory loggerFactory)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
else
{
app.UseExceptionHandler("/Error");
// The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
//app.UseHsts();
}
//app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseRouting();
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
endpoints.MapBlazorHub();
endpoints.MapFallbackToPage("/_Host");
});
}
}
Then in one of my Razor pages I have the following, as I said even int he NotAuthorized section my UserName is still displayed
<AuthorizeView Policy="ADRoleOnly">
<Authorized>
@context.User.Identity.Name is authorized.
</Authorized>
<NotAuthorized>
@context.User.Identity.Name is not authorized.
</NotAuthorized>
</AuthorizeView>
<AuthorizeView Roles="DOMAIN\\GroupName">
<Authorized>
@context.User.Identity.Name is authorized.
</Authorized>
<NotAuthorized>
@context.User.Identity.Name is not authorized.
</NotAuthorized>
</AuthorizeView>
Currently I've rolled my own security that just hides all the content at the shared layout page but I don't like it, it's slow and you should never write your own security model if you can help it, a) I won't keep it up to date and b) it's more likely to have a bug in it than anything else.
I would really like to know what I have missed for this to not be working correctly.
Don't I feel stupid now, the group I was trying to Authorize against was only a Distribution Group in AD and not a Secuirty Group. I've used a different group and it's now working fine.