From 509608b8bfda9a7e56c18c9e45291491f2e5b8aa Mon Sep 17 00:00:00 2001 From: Rick Anderson <3605364+Rick-Anderson@users.noreply.github.com> Date: Fri, 22 Jan 2021 09:53:05 +1000 Subject: [PATCH] Fix RBAC code (#21234) * Fix RBAC code * Fix RBAC code * Fix RBAC code * Fix RBAC code * Fix RBAC code * Fix RBAC code * Fix RBAC code --- .../security/authentication/windowsauth.md | 21 ++--- .../StartupNegotiateDefaults.cs | 81 +++++++++++++++++++ 2 files changed, 87 insertions(+), 15 deletions(-) create mode 100644 aspnetcore/security/authentication/windowsauth/sample_snapshot/StartupNegotiateDefaults.cs diff --git a/aspnetcore/security/authentication/windowsauth.md b/aspnetcore/security/authentication/windowsauth.md index 0ae2329646..cc3fc2c043 100644 --- a/aspnetcore/security/authentication/windowsauth.md +++ b/aspnetcore/security/authentication/windowsauth.md @@ -5,13 +5,13 @@ description: Learn how to configure Windows Authentication in ASP.NET Core for I monikerRange: '>= aspnetcore-2.1' ms.author: riande ms.custom: "mvc, seodec18" -ms.date: 02/26/2020 +ms.date: 1/15/2021 no-loc: [appsettings.json, "ASP.NET Core Identity", cookie, Cookie, Blazor, "Blazor Server", "Blazor WebAssembly", "Identity", "Let's Encrypt", Razor, SignalR] uid: security/authentication/windowsauth --- # Configure Windows Authentication in ASP.NET Core -By [Scott Addie](https://twitter.com/Scott_Addie) +By [Scott Addie](https://twitter.com/Scott_Addie) and [Rick Anderson](https://twitter.com/RickAndMSFT) ::: moniker range=">= aspnetcore-3.0" @@ -188,25 +188,16 @@ services.AddAuthentication(NegotiateDefaults.AuthenticationScheme) }); ``` -Some configurations may require specific credentials to query the LDAP domain. The credentials can be specified in the options: +Some configurations may require specific credentials to query the LDAP domain. The credentials can be specified in the following highlighted options: -```csharp -services.AddAuthentication(NegotiateDefaults.AuthenticationScheme) - .AddNegotiate(options => - { - if (RuntimeInformation.IsOSPlatform(OSPlatform.Linux)) - { - options.EnableLdap("contoso.com"); - options.MachineAccountName = "machineName"; - options.MachineAccountPassword = "PassW0rd"; - } - }); -``` +[!code-csharp[](windowsauth/sample_snapshot/StartupNegotiateDefaults.cs?name=snippet&highlight=15-20)] By default, the negotiate authentication handler resolves nested domains. In a large or complicated LDAP environment, resolving nested domains may result in a slow lookup or a lot of memory being used for each user. Nested domain resolution can be disabled using the `IgnoreNestedGroups` option. Anonymous requests are allowed. Use [ASP.NET Core Authorization](xref:security/authorization/introduction) to challenge anonymous requests for authentication. + requires the NuGet package [Microsoft.AspNetCore.Authentication.Negotiate](https://www.nuget.org/packages/Microsoft.AspNetCore.Authentication.Negotiate). + ### Windows environment configuration The [Microsoft.AspNetCore.Authentication.Negotiate](https://www.nuget.org/packages/Microsoft.AspNetCore.Authentication.Negotiate) component performs [User Mode](/windows-hardware/drivers/gettingstarted/user-mode-and-kernel-mode) authentication. Service Principal Names (SPNs) must be added to the user account running the service, not the machine account. Execute `setspn -S HTTP/myservername.mydomain.com myuser` in an administrative command shell. diff --git a/aspnetcore/security/authentication/windowsauth/sample_snapshot/StartupNegotiateDefaults.cs b/aspnetcore/security/authentication/windowsauth/sample_snapshot/StartupNegotiateDefaults.cs new file mode 100644 index 0000000000..cd9d3b0b30 --- /dev/null +++ b/aspnetcore/security/authentication/windowsauth/sample_snapshot/StartupNegotiateDefaults.cs @@ -0,0 +1,81 @@ +using Microsoft.AspNetCore.Authentication.Negotiate; +using Microsoft.AspNetCore.Builder; +using Microsoft.AspNetCore.Hosting; +using Microsoft.AspNetCore.Identity; +using Microsoft.EntityFrameworkCore; +using Microsoft.Extensions.Configuration; +using Microsoft.Extensions.DependencyInjection; +using Microsoft.Extensions.Hosting; +using System.Runtime.InteropServices; +using WebAppRP5.Data; + +namespace WebAppRP5 +{ + public class Startup + { + public Startup(IConfiguration configuration) + { + Configuration = configuration; + } + + public IConfiguration Configuration { get; } + + #region snippet + public void ConfigureServices(IServiceCollection services) + { + services.AddDbContext(options => + options.UseSqlServer( + Configuration.GetConnectionString("DefaultConnection"))); + services.AddDatabaseDeveloperPageExceptionFilter(); + services.AddDefaultIdentity(options => options.SignIn.RequireConfirmedAccount = true) + .AddEntityFrameworkStores(); + + services.AddAuthentication(NegotiateDefaults.AuthenticationScheme) + .AddNegotiate(options => + { + if (RuntimeInformation.IsOSPlatform(OSPlatform.Linux)) + { + options.EnableLdap(settings => + { + settings.Domain = "contoso.com"; + settings.MachineAccountName = "machineName"; + settings.MachineAccountPassword = Configuration["Password"] + }); + } + }); + + services.AddRazorPages(); + } + #endregion + + #region snippet2 + public void Configure(IApplicationBuilder app, IWebHostEnvironment env) + { + if (env.IsDevelopment()) + { + app.UseDeveloperExceptionPage(); + app.UseMigrationsEndPoint(); + } + else + { + app.UseExceptionHandler("/Error"); + // The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts. + app.UseHsts(); + } + + app.UseHttpsRedirection(); + app.UseStaticFiles(); + + app.UseRouting(); + + app.UseAuthentication(); + app.UseAuthorization(); + + app.UseEndpoints(endpoints => + { + endpoints.MapRazorPages(); + }); + } + #endregion + } +}