AD-Role bases Authorization

Question

I am trying to get the Active Directory authorization working by using roles. I think so far I checked every article but I do not get it working. Lets say Group1 is the AD group name where my user is in.

What works is, when I do the check directly on the controller: [Authorize(Roles = "Group1")]

But now I would like to put this information in the appsettings.json like this:

  "SecuritySettings": {
    "ADGroup": "Group1"
  }

call in the startup.cs following code:

 services.AddAuthorization(options =>
{
    options.AddPolicy("ADRoleOnly", policy => policy.RequireRole(Configuration["SecuritySettings:ADGroup"]));
});

services.AddMvc(config =>
{
    var policy = new AuthorizationPolicyBuilder()
        .RequireAuthenticatedUser()
        .Build();

    config.Filters.Add(new AuthorizeFilter(policy));
});

services.AddAuthentication(IISDefaults.AuthenticationScheme);


            services.AddControllers();

            services.AddControllersWithViews();

and change my controller to this:

[Authorize(Roles = "ADRoleOnly")]

But doesn’t matter what I change, I always get a 403 Forbidden. My environment is IIS (has windows authentication activated) and asp.net core 3 mvc – build with Visual Studio Code.

Any suggestions what I might miss? I mean, this is basically the same example as we see often on the internet.

Thanks

Stephan

Answer 1

[Authorize(Roles = "ADRoleOnly")]

This will look for the role with the name ADRoleOnly. But what you did is create a policy named ADRoleOnly:

options.AddPolicy("ADRoleOnly", policy =>
    policy.RequireRole(Configuration["SecuritySettings:ADGroup"]));

So in order to check for that policy, you will need to change how you use the [Authorize] attribute:

[Authorize(Policy = "ADRoleOnly")]

Or since the policy name is the default, you can also just write this:

[Authorize("ADRoleOnly")]