Tuesday, June 2, 2015

Active Directory Authentication in ASP.NET MVC 5 with Forms Authentication and Group-Based Authorization

I know that blog post title is sure a mouth-full, but it describes the whole problem I was trying to solve in a recent project.

The Project

Let me outline the project briefly.  We were building a report dashboard-type site that will live inside the client’s network.  The dashboard gives an overview of various, very important information that relates to how the company is performing on a hourly basis.  So, the dashboard is only available to a certain group of directors.
To limit the solution to the these directors, authentication and authorization would go through their existing Active Directory setup by putting the authorized users in a special AD group.

The Problem

Getting authentication to work was a snap.  Microsoft provides theSystem.Web.Security.ActiveDirectoryMembershipProvider
class to use as your membership provider.  Putting an [Authorize] attribute on my action methods or entire controllers was all I needed to get it working (besides, of course, the system.web/authentication web.config updates and a controller to show my login form and handle the submit credentials).
Here’s my relevant web.config setup:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<connectionStrings>
  <add name="ADConnectionString" connectionString="" />
</connectionStrings>
...
<authentication mode="Forms">
  <forms name=".AuthCookie" loginUrl="~/login"/>
</authentication>
<membership defaultProvider="ADMembershipProvider">
  <providers>
    <clear/>
    <add name="ADMembershipProvider"
         type="System.Web.Security.ActiveDirectoryMembershipProvider"
         connectionStringName="ADConnectionString"
         attributeMapUsername="sAMAccountName"/>
  </providers>
</membership>
The tough part came when I wanted to limit access to users in that AD group. Microsoft doesn’t provide a RoleProvider along with its ActiveDirectoryMembershipProvider. So, what to do?
I tried several methods I found online. Most of them were based on creating my own customRoleProvider and querying AD to iterate through the user’s groups (treating them like roles) and seeing if one of them matched my AD group I was looking for. However, I could never get it to work. Each code example I found eventually gave me this AD error when I iterated through the current user’s AD groups:
1
The specified directory service attribute or value does not exist.

The Solution

Eventually, I found a solution online that worked. Instead of setting up a custom RoleProvider, all it involved was creating a custom AuthorizeAttribute for your MVC controllers (or action methods) that checked the user’s .IsMemberOf method to see if the member belonged the sought after group (or groups). I don’t know why this method does not cause the same AD error as describe above, but I’m glad it doesn’t! All I can assume is that it queries AD in a more friendly way.
Here is my custom AuthorizeAttribute:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
public class AuthorizeADAttribute : AuthorizeAttribute
{
    private bool _authenticated;
    private bool _authorized;
 
    public string Groups { get; set; }
 
    protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
    {
        base.HandleUnauthorizedRequest(filterContext);
 
        if (_authenticated && !_authorized)
        {
            filterContext.Result = new RedirectResult("/error/notauthorized");
        }
    }
 
    protected override bool AuthorizeCore(HttpContextBase httpContext)
    {
        _authenticated = base.AuthorizeCore(httpContext);
 
        if (_authenticated)
        {
            if (string.IsNullOrEmpty(Groups))
            {
                _authorized = true;
                return _authorized;
            }
 
            var groups = Groups.Split(',');
            string username = httpContext.User.Identity.Name;
 
            try
            {
                _authorized = LDAPHelper.UserIsMemberOfGroups(username, groups);
                return _authorized;
            }
            catch (Exception ex)
            {
                this.Log().Error(() => "Error attempting to authorize user", ex);
                _authorized = false;
                return _authorized;
            }
        }
 
        _authorized = false;
        return _authorized;
    }
}
Notice that I also included a little code to distinguish between the user not being authenticated (which the call to base.AuthorizeCore takes care of) and not being authorized. Without the code inHandleUnauthorizedRequest, if the user successfully logs in but is not in the AD group, he just sees the log in screen again which doesn’t communicate the problem very well.
The this.Log() code uses a Nuget packaged called this.Log. The LDAPHelper class is something I wrote. The code is below:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
public static class LDAPHelper
{
    public static string GetLDAPContainer()
    {
        Uri ldapUri;
        ParseLDAPConnectionString(out ldapUri);
 
        return HttpUtility.UrlDecode(ldapUri.PathAndQuery.TrimStart('/'));
    }
 
    public static string GetLDAPHost()
    {
        Uri ldapUri;
        ParseLDAPConnectionString(out ldapUri);
 
        return ldapUri.Host;
    }
 
    public static bool ParseLDAPConnectionString(out Uri ldapUri)
    {
        string connString = ConfigurationManager.ConnectionStrings["ADConnectionString"].ConnectionString;
 
        return Uri.TryCreate(connString, UriKind.Absolute, out ldapUri);
    }
 
    public static bool UserIsMemberOfGroups(string username, string[] groups)
    {
        /* Return true immediately if the authorization is not
        locked down to any particular AD group */
        if (groups == null || groups.Length == 0)
        {
            return true;
        }
 
        // Verify that the user is in the given AD group (if any)
        using (var context = BuildPrincipalContext())
        {
            var userPrincipal = UserPrincipal.FindByIdentity(context,
                                                 IdentityType.SamAccountName,
                                                 username);
 
            foreach (var group in groups)
            {
                if (userPrincipal.IsMemberOf(context, IdentityType.Name, group))
                {
                    return true;
                }
            }
        }
 
        return false;
    }
 
    public static PrincipalContext BuildPrincipalContext()
    {
        string container = LDAPHelper.GetLDAPContainer();
        return new PrincipalContext(ContextType.Domain, null, container);
    }
}
My code is mostly based on example code I found on a very helpful StackOverflow post:http://stackoverflow.com/questions/4342271/asp-net-mvc-forms-authorization-with-active-directory-groups/4383502#4383502.
To use this code, all you have to do is use your custom AuthorizeAttribute instead of the built-in one. Something like this:
1
2
3
4
5
[AuthorizeAD(Groups="Some AD group name")]
public class HomeController : Controller
{
...
}