How can I configure IIS to use ClaimsIdentity instead of WindowsIdentity ?

Tom Brown 30 Reputation points
2023-05-19T15:33:52.3066667+00:00

I'm using Role based Authorization in an ASP.NET Core 6 razor application. I have created an app registration and assigned roles for the application. I'm using Azure AD to authenticate the user and emit roles according to the security groups to which the user is assigned. The roles returned in the identity token are mapped to policies. And those policies are used to determine access to routes.

My Problem: When I run the application on Kestral, it works as expected. The identity token from Azure AD contains the roles associated with the logged in user. However, when I run the application locally on IIS express, or on an IIS staging server, it does not work as expected.

I set up a test to see what the application was getting from HttpContext.User.Identities while running on Kestral versus IIS Express. I found the following:

• When running on IIS, HttpContext.User.Identities returns: System.Security.Principal.WindowsIdentity

When running on Kestral, HttpContext.User.Identities returns:

• System.Security.Claims.ClaimsIdentity

When running on IIS, HttpContext.User.Identities returns around a hundred lines that look like this:

http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid: X-X-X-0

Whereas on Kestral, I get responses like this:

http://schemas.microsoft.com/ws/2008/06/identity/claims/role: MyCustomRole

(The actual responses contain many more lines - I just posted one line from each server as an example. I also modified the actual values so as not to accidentally disclose sensitive data).

I'm running the following code on my razor pages to get the above output:

HttpContext.User.Identities.ToList().ForEach(userId => { userIdentity.Add(userId.ToString()); });

It returns different values depending on which server I'm running the code on.

When running IIS I get the following: User Identity (Returned from HttpContext.User.Identities): • System.Security.Principal.WindowsIdentity

When running on Kestral I get this: User Identity (Returned from HttpContext.User.Identities): • System.Security.Claims.ClaimsIdentity

My understanding is that IIS uses WindowsIdentity by defualt. And I think this is the root of my issue. I believe it needs to return ClaimsIdentity instead of WindowsIdentity for this to work as expected.

How can I configure IIS to use ClaimsIdentity instead of WindowsIdentity ?

Can I configure this in the application? Or does it have to be configured at the server?

ASP.NET Core
ASP.NET Core
A set of technologies in the .NET Framework for building web applications and XML web services.
4,399 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,613 questions
{count} votes

3 answers

Sort by: Most helpful
  1. Bruce (SqlWork.com) 61,491 Reputation points
    2023-05-20T16:03:06.0466667+00:00

    IIS only supports windows and Kerberos authentication. It does not natively support azure oauth. You need to add a custom handler for this, or use the asp.net core middleware support as you do with Kestral.

    just configure you app under iis as you do with kestral. Be sure to update the azure ad reply urls.

    0 comments No comments

  2. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.


    Comments have been turned off. Learn more

  3. david16s 5 Reputation points
    2023-06-27T05:27:42.7433333+00:00

    Use an authentication framework that supports claims-based authentication.

    0 comments No comments