在 Windows 身份验证的 ASP.Net 5 中使用 IIS Express/Kestrel 时，User.IsInRole 始终为 false

Question

I have an ASP.Net 5 application using version 1.0.0-rc1-update1 with Windows Authentication. I've implemented a custom policy in my Startup.cs file:

public void ConfigureServices(IServiceCollection services)
{
    // ... other configuration code

    var viewCharts = new AuthorizationPolicyBuilder()
        .AddRequirements(new ViewChartsRequirement())
        .Build();

    collection.AddAuthorization(opts =>
    {
        opts.AddPolicy(Policy.ViewCharts, viewCharts);
    });

    collection.AddTransient<IAuthorizationHandler, ViewChartsHandler>();

    // ... other configuration code
}

The ViewChartsHandler 's Handle method is as follows:

protected override void Handle(
    AuthorizationContext context,
    T requirement)
{
    var identities = _securityRepo.GetIdentitiesForPolicy(_policy);

    // this returns a result when using a web listener, but
    // never finds a match when using IIS Express
    var matchingIdentity = identities.FirstOrDefault(role => context.User.IsInRole(role));

    if (!string.IsNullOrWhiteSpace(matchingIdentity))
    {
        context.Succeed(requirement);
    }
}

When using a web listener as shown in this answer , the code above works. However, when using IIS Express it never finds a matchingIdentity .

Things to note:

1. My IIS Express is configured to use Windows Authentication, and deny Anonymous Authentication. The bug related to IIS Express and this was fixed in RC1 .
2. The username from Windows is always resolving correctly.
3. In the Handle code above, context.User is an instance of System.Security.Principal.WindowsPrincipal when using a web listener, but when using IIS Express it is a System.Security.Claims.ClaimsPrincipal .
4. I have forwardWindowsAuthToken="true" set in my web.config.

I think this is a role provider problem, but I am at a loss as to how to correct it.

Answer 1

I'm using the following code to successfully check for role membership on RC1, however note that it does not resolve group names (probably due to the problems referred to by @blowdart), I have to supply the group names as SIDs:

// Set up authorisation policies from the configured AD group lists.
// NOTE: Currently this only works with SIDs if hosting using Kestrel 
// behind IIS, not friendly group names.
var viewerGroups = Configuration.GetSection("Groups:Viewer").Value.Split(',');
var adminGroups = Configuration.GetSection("Groups:Admin").Value.Split(',');
services.AddAuthorization(auth =>
{
    auth.AddPolicy("viewer", policy =>
    {
        policy.RequireRole(viewerGroups);
    });
    auth.AddPolicy("admin", policy =>
    {
        policy.RequireRole(adminGroups);
    });
});

I don't know if this will help you, but I thought I'd offer it up in case!

Answer 2

Did you add the IISPlatformHandler middleware?

app.UseIISPlatformHandler();

This needs to be ran before app.UseMvc(), app.UseStaticFiles() or any other authentication middleware.

Answer 3

It turns out that User.IsInRole does not function correctly in RC1. (See @blowdart's comments.) This will be fixed in RC2.

The original code will work so long as the line below returns the SIDs for each AD group , as opposed to the friendly names.

// This line must return SIDs instead of friendly names
var identities = _securityRepo.GetIdentitiesForPolicy(_policy);

Update

This was fixed in RC2. The original code works!