Configure AD Groups to use with Roles in .NET Core (C# 8) MVC

Richard Scannell 386 Reputation points
2024-11-20T15:33:49.45+00:00

I am trying to use policy based authorisation in an MVC app in C# .NET CORE (8) , using membership of OnPrem AD groups to assign roles .

This is a snippet of the appsettings.json telling the system I want to grant the Admin role to members of AD Group1, and so on for the Editors & Readers roles :

 

"AppConfig": {

  "Admins": "AD Group1",

  "Editors": "AD Group2",

  "Readers": "AD Group3",

  "DBConnstr2": "myconnstr"

}

 

This is a snippet of the Program.cs to actually apply the policy

 

var Admins = builder.Configuration["AppConfig:Admins"];

var Editors = builder.Configuration["AppConfig:Editors"];

var Readers = builder.Configuration["AppConfig:Readers"];

builder.Services.AddAuthorization(options =>

{

    options.AddPolicy("Admins", policy => policy.RequireRole(Admins));

    options.AddPolicy("Editors", policy => policy.RequireRole(Editors));

    options.AddPolicy("Readers", policy => policy.RequireRole(Readers));

});

 

These roles are used in the MVC controllers to apply permissions to each function

        [Authorize(Policy = "Readers")]

        public async Task<IActionResult> Index(){

}

 

The problem is that some of the AD Groups do not get mapped into roles, for example my user claims lists me as a member of AD Group1 , 2 & 3, but the roles I have do not include the Editors role ( I get the role when I set a different group in AppConfig:Editors). This suggests that something is different about how Group2 is set up.

What is causing this, & what do I need to do get AD Group 2 behaving in the same way as Groups 1 & 3?

Thanks in advance

ASP.NET Core
ASP.NET Core
A set of technologies in the .NET Framework for building web applications and XML web services.
4,674 questions
C#
C#
An object-oriented and type-safe programming language that has its roots in the C family of languages and includes support for component-oriented programming.
11,111 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Richard Scannell 386 Reputation points
    2024-11-21T08:10:00.61+00:00

    Hi Brando Zhang , thank you for the question .

    I mean that when the user is in all 3 AD groups , I'd expect them to have all 3 roles . In this case they do get the Admins role because they are in "AD Group1" & they do get the Readers role because they are in "AD Group3" . But they don't get the Editors role, which I also wanted them to have because they were in "AD Group2" as well.

    I have tested this giving different groups to different roles in appsettings.json, and the problem always appears with whichever roles I give to "AD Group 2". SO I think the problem is with how "Group 2" is set up

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.