Julian Rodriguez

My feedback

  1. 10 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Feature Requests  ·  Flag idea as inappropriate…  ·  Admin →

    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    Julian Rodriguez supported this idea  · 
  2. 6 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Feature Requests  ·  Flag idea as inappropriate…  ·  Admin →

    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    Julian Rodriguez shared this idea  · 
  3. 163 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    8 comments  ·  Feature Requests  ·  Flag idea as inappropriate…  ·  Admin →

    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    An error occurred while saving the comment
    Julian Rodriguez commented  · 

    Hi Demis, I'm a bit late to the party, but I thought I'd post some feedback here.

    - I primarily use this to leverage integrated(Kerberos/Negotiate) authentication from Windows. One early thing I needed do to was map a user's AD groups to ServiceStack Roles. Initially, I extended the LoadUserAuthInfo function to do an AD lookup to groups, then dump the list of groups to the user's AuthUserSession.Roles. This, while a common way people do AD authorization outside of Windows, is a bit expensive because of the LDAP lookup for every auth request. The original IIS request does contain the Kerberos ticket (with the AD groups already burned into the ticket), but I couldn't get the request without subclassing AspNetWindowsAuthProvider:

    public class CustomWindowsAuthProvider : AspNetWindowsAuthProvider
    {
    public CustomWindowsAuthProvider(IAppHost appHost) : base(appHost)
    {

    }

    public override IHttpResult OnAuthenticated(IServiceBase authService, IAuthSession session, IAuthTokens tokens, Dictionary<string, string> authInfo)
    {
    var request = authService.Request.OriginalRequest as System.Web.HttpRequestWrapper;

    using (WindowsIdentity userId = request?.LogonUserIdentity)
    {
    List<string> roles = new List<string>();
    if (userId?.Groups != null)
    foreach (var group in userId.Groups)
    {
    // Remove the domain name from the name of the group, if it has it, and you don't need it.
    var groupName = new SecurityIdentifier(group.Value).Translate(typeof(NTAccount)).ToString();
    if (groupName.Contains("\\"))
    groupName = groupName.Split('\\')[1];
    roles.Add(groupName);
    }
    session.Roles = roles;
    }
    return base.OnAuthenticated(authService, session, tokens, authInfo);
    }

    }

    It would be nice if something similar to the above was burned into the base AspNetAuthProvider. (I'm not sure if the above works for all scenarios).

    - Give the above scenario (IIS with integrated authentication), how does the .NET SSE client authenticate? I didn't see a Credentials property for the SSE client.

Feedback and Knowledge Base