Reputation: 6341
ASP.NET User not showing all Active Directory Groups
I am trying to use windows authentication and active directory groups to manage the security within an application. The problem I am running into is that in the code behind of a page I am trying to verify is a user hitting the ASP.NET website is a member of a specific AD group and then showing/hiding a few items based on that. The issue I am running into is that I cannot seem to get all the groups that the user is a member of in order to test. I have included the code below that I am using to list all the groups the user belongs to. This code does return a number of groups, however it is not returning all the groups. I have verified in the AD controller that all the groups appear to be set the same. Any ideas what I am doing wrong?
Private Function GetCurrentGroups() As ArrayList
Dim groups As New ArrayList()
For Each group As System.Security.Principal.IdentityReference In System.Web.HttpContext.Current.Request.LogonUserIdentity.Groups
groups.Add(group.Translate(GetType(System.Security.Principal.NTAccount)).ToString())
Next
groups.Sort()
Return groups
End Function
Upvotes: 3
Views: 2274
Answers (2)
Reputation: 7908
Another possibility is this. Assume that the AD group is G and is in the domain A the User U in domain B is a member of G (this is possible in universal groups) If A trusts B but NOT vice versa, calling G.GetMembers will return the user. However, if you call U.GetGroups will return not return AD group in domain A.
Upvotes: 0
Reputation: 754963
You're not doing anything wrong - you're most likely only seeing the direct group memberships of your user.
Any nested membership - User being member of GroupA which in turn is member of GroupB - are typically not shown - so in this case, you would see GroupA but not GroupB.
If you really need this information, you'd have to interrogate Active Directory directly (using something like the System.DirectoryServices.AccountManagement namespace - great MSDN article about using it).
The S.DS.AM namespace contains among other things a class UserPrincipal representing a user in AD, and this class has a method called .GetAuthorizationGroups() which will return all groups a user is member of - including nested groups.
Upvotes: 7
Related Questions
- Unable to get Azure AD Groups to appear in user claims
- AD Users Works but AD roles or groups don't
- Domain Users group is not getting for an active directory user
- Active Directory groups not immediately available after creation
- MVC4 web getting the user details from wrong Active directory.
- c#: cannot get user's active directory groups
- Active Directory Groups not being returned
- Active Directories UserPrincipal.Current.GetGroups() returns group on local not on web server
- Get all users in Active Directory group
- How to get AD User Groups for user in Asp.Net?