10 votesJulian Rodriguez supported this idea ·
6 votesJulian Rodriguez shared this idea ·
A preview of AspNetWindowsAuthProvider was added in the v4.0.21 release, see:
https://github.com/ServiceStack/ServiceStack/blob/master/release-notes.md#windows-auth-provider-for-aspnetJulian Rodriguez commented
Hi Demis, I'm a bit late to the party, but I thought I'd post some feedback here.
- I primarily use this to leverage integrated(Kerberos/Negotiate) authentication from Windows. One early thing I needed do to was map a user's AD groups to ServiceStack Roles. Initially, I extended the LoadUserAuthInfo function to do an AD lookup to groups, then dump the list of groups to the user's AuthUserSession.Roles. This, while a common way people do AD authorization outside of Windows, is a bit expensive because of the LDAP lookup for every auth request. The original IIS request does contain the Kerberos ticket (with the AD groups already burned into the ticket), but I couldn't get the request without subclassing AspNetWindowsAuthProvider:
public class CustomWindowsAuthProvider : AspNetWindowsAuthProvider
public CustomWindowsAuthProvider(IAppHost appHost) : base(appHost)
public override IHttpResult OnAuthenticated(IServiceBase authService, IAuthSession session, IAuthTokens tokens, Dictionary<string, string> authInfo)
var request = authService.Request.OriginalRequest as System.Web.HttpRequestWrapper;
using (WindowsIdentity userId = request?.LogonUserIdentity)
List<string> roles = new List<string>();
if (userId?.Groups != null)
foreach (var group in userId.Groups)
// Remove the domain name from the name of the group, if it has it, and you don't need it.
var groupName = new SecurityIdentifier(group.Value).Translate(typeof(NTAccount)).ToString();
groupName = groupName.Split('\\');
session.Roles = roles;
return base.OnAuthenticated(authService, session, tokens, authInfo);
It would be nice if something similar to the above was burned into the base AspNetAuthProvider. (I'm not sure if the above works for all scenarios).
- Give the above scenario (IIS with integrated authentication), how does the .NET SSE client authenticate? I didn't see a Credentials property for the SSE client.