Julian Rodriguez
My feedback
3 results found
-
10 votes
Julian Rodriguez supported this idea ·
-
6 votes
Julian Rodriguez shared this idea ·
-
163 votes
A preview of AspNetWindowsAuthProvider was added in the v4.0.21 release, see:
https://github.com/ServiceStack/ServiceStack/blob/master/release-notes.md#windows-auth-provider-for-aspnetAn error occurred while saving the comment
Hi Demis, I'm a bit late to the party, but I thought I'd post some feedback here.
- I primarily use this to leverage integrated(Kerberos/Negotiate) authentication from Windows. One early thing I needed do to was map a user's AD groups to ServiceStack Roles. Initially, I extended the LoadUserAuthInfo function to do an AD lookup to groups, then dump the list of groups to the user's AuthUserSession.Roles. This, while a common way people do AD authorization outside of Windows, is a bit expensive because of the LDAP lookup for every auth request. The original IIS request does contain the Kerberos ticket (with the AD groups already burned into the ticket), but I couldn't get the request without subclassing AspNetWindowsAuthProvider:
public class CustomWindowsAuthProvider : AspNetWindowsAuthProvider
{
public CustomWindowsAuthProvider(IAppHost appHost) : base(appHost)
{
}
public override IHttpResult OnAuthenticated(IServiceBase authService, IAuthSession session, IAuthTokens tokens, Dictionary<string, string> authInfo)
{
var request = authService.Request.OriginalRequest as System.Web.HttpRequestWrapper;
using (WindowsIdentity userId = request?.LogonUserIdentity)
{
List<string> roles = new List<string>();
if (userId?.Groups != null)
foreach (var group in userId.Groups)
{
// Remove the domain name from the name of the group, if it has it, and you don't need it.
var groupName = new SecurityIdentifier(group.Value).Translate(typeof(NTAccount)).ToString();
if (groupName.Contains("\\"))
groupName = groupName.Split('\\')[1];
roles.Add(groupName);
}
session.Roles = roles;
}
return base.OnAuthenticated(authService, session, tokens, authInfo);
}
}
It would be nice if something similar to the above was burned into the base AspNetAuthProvider. (I'm not sure if the above works for all scenarios).
- Give the above scenario (IIS with integrated authentication), how does the .NET SSE client authenticate? I didn't see a Credentials property for the SSE client.