asp.net core 2.0 windows role based authorization always returns 403

Question

I'm trying to setup up role based authorization based on Windows roles using an asp.net core 2.0 app. This is the configuration:

launchSettings.json:

   {
  "iisSettings": {
    "windowsAuthentication": true,
    "anonymousAuthentication": true,
    "iisExpress": {
      "applicationUrl": "http://localhost:9180/",
      "sslPort": 0
    }
  },
  "profiles": {
    "IIS Express": {
      "commandName": "IISExpress",
      "launchBrowser": true,
      "environmentVariables": {
        "ASPNETCORE_ENVIRONMENT": "Development"
      }
    },
    "Bouwfonds.Gems.Onderhoud.Web.UI": {
      "commandName": "Project",
      "launchBrowser": true,
      "environmentVariables": {
        "ASPNETCORE_ENVIRONMENT": "Development"
      },
      "applicationUrl": "http://localhost:9181/"
    }
  }
}

StartUp.cs:

  public void ConfigureServices(IServiceCollection services) {
    services.AddMvc();

    services.AddAuthentication(IISDefaults.AuthenticationScheme);

  }

and in the controller:

//SID of Administrators using: psgetsid.exe Administrators

  [Authorize(Roles = @"S-1-5-32-544")] 
  public class HomeController : Controller

The Windows authentication is working but I always get back a 403. Any ideas?

Answer 1

Here is what I got to work. A lot of it I pieced together using the Microsoft Authorization Workshop example https://github.com/blowdart/AspNetAuthorizationWorkshop. Although I am using policies instead of roles.

Startup.cs

public void ConfigureServices(IServiceCollection services)
{
    services.AddAuthorization(options =>
    {
         //Add policies as needed along with authorization classes
         options.AddPolicy("Admin", policy => policy.Requirements.Add(new AdminAuthorization()));
    });

    services.AddMvc(config => 
    {
        var policy = new AuthorizationPolicyBuilder()
            .RequireAuthenticatedUser()
            .Build();
        config.Filters.Add(new AuthorizeFilter(policy));
    });

    //Also add the Authorization Handlers
    services.AddSingleton<IAuthorizationHandler, AdminAuthorization>();

    serviecs.AddAuthentication(Microsoft.AspNetCore.Server.IISIntegration.IISDefaults.AuthenticationScheme);
}

AdminAuthorization.cs

public class AdminAuthorization : AuthorizationHandler<AdminAuthorization>, IAuthorizationRequirement
{
     protected override Task HandleRequirementAsync(AuthrizationHandlerContext context, AdminAuthorization  requirement)
     {
         if(context.User.HasClaim(c => c.Value == @"S-1-5-32-544"))
         {
             context.Succeed(requirement);
         }
         else 
         {
             context.Fail();
         }
         return Task.CompletedTask;
     }
}

HomeController.cs

//Add the name of the policy used in the options.AddPolicy in the startup.cs
[Authorize(Policy = "Admin")] 
public class HomeController : Controller
{
    // your controller logic here
}

Answer 2

The local administrators group is added as a denyonlysid(?) claim: "{http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid: S-1-5-32-544}" so I guess that's why that group doesn't work. And obviously when u add yourself to a new local group u have to reboot before u get the claim :P

So it now works with a local group even without the SID but just the group name.

Answer 3

A 403 response generally indicates one of two conditions:

• Authentication was provided, but the authenticated user is not permitted to perform the requested operation.
• The operation is forbidden to all users. For example, requests for a directory listing return code 403 when directory listing has been disabled.

Are you sure, that you are in the given group? First try to authorize a user, not role:

[Authorize(Users="Alice, Bob, YourName")]

If this works, then you either are not a member of the group or the group does not exist.