Windows Authentication - ((ClaimsPrincipal)User).IsInRole

[roysurles]

Describe the bug

User.IsInRole works with ActiveDirectory Group Names on local development machine, but does not work with ActiveDirectory Group Names after deploying to onpremise windows IIS server. However, ActiveDirectory Group Sid does work on onpremise windows IIS server.

To Reproduce

Asp.Net Core 3.1 Blazor Server
WindowsAuthentication: true
AnonymousAuthentication: false
var authenticationState = await AuthenticationStateProvider.GetAuthenticationStateAsync()
var b = authenticationState.User.IsInRole("MyAdGroupName")
b is true on local development machine, but false on windows IIS server

Further technical details

• ASP.NET Core version
  3.1
• Include the output of dotnet --info
  Onpremise Windows Server
  PS C:\Users\rsurles> dotnet --info
  .NET Core SDK (reflecting any global.json):
  Version: 3.1.100
  Commit: cd82f021f4

Runtime Environment:
OS Name: Windows
OS Version: 6.3.9600
OS Platform: Windows
RID: win81-x64
Base Path: C:\Program Files\dotnet\sdk\3.1.100\

Host (useful for support):
Version: 3.1.0
Commit: 65f04fb6db

.NET Core SDKs installed:
2.1.500 [C:\Program Files\dotnet\sdk]
3.1.100 [C:\Program Files\dotnet\sdk]

.NET Core runtimes installed:
Microsoft.AspNetCore.All 2.1.6 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All]
Microsoft.AspNetCore.App 2.1.6 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
Microsoft.AspNetCore.App 3.0.0 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
Microsoft.AspNetCore.App 3.1.0 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
Microsoft.NETCore.App 2.1.6 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.NETCore.App 3.0.0 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.NETCore.App 3.1.0 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.WindowsDesktop.App 3.1.0 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]

To install additional .NET Core runtimes or SDKs:
https://aka.ms/dotnet-download
PS C:\Users\rsurles>

• The IDE (VS / VS Code/ VS4Mac) you're running on, and it's version

[blowdart]

Is the IIS server domain joined? Is the app pool running as a domain joined user? Can the server see an AD controller? Do you mutate the identity in any way?

[roysurles]

Is the IIS server domain joined? Is the app pool running as a domain joined user? Can the server see an AD controller? Do you mutate the identity in any way?

[roysurles]

Is the IIS server domain joined? YES; Is the app pool running as a domain joined user? YES; Can the server see an AD controller? YES; Do you mutate the identity in any way? NO We are running other full .net framework 4.7.2 WebForms and MVC that work well with User.IsInRole("AdGroupName").

[blowdart]

Strange. Does a simple .NET Core MVC app also work?

[roysurles]

No. Created new .net core 3.1 mvc web app and it works on my local development machine. deployed it to our onpremise iis web server and it does NOT work either: Context.User.IsInRole("MyAdGroup")

Correction: Asp.Net Core MVC DOES work. We RDP into servers with alternate accounts for security purposes and I had run the MVC app within the RDP session so it was checking my alternate account. When I run web app on the server in a browser on my local machine it works, So this dies appear to be isolated to Blazor... sorry for the confusion.

[Tratcher]

How is Windows Auth configured on the IIS site?

Is the user correctly identified? (E.g. Name?)

[roysurles]

Anonymous Authentication = Disabled
Windows Authentication = Enabled



Yes, the user is correctly identified.

[Tratcher]

Correction: Asp.Net Core MVC DOES work. We RDP into servers with alternate accounts for security purposes and I had run the MVC app within the RDP session so it was checking my alternate account. When I run web app on the server in a browser on my local machine it works, So this dies appear to be isolated to Blazor... sorry for the confusion.

@mkArtakMSFT looks like this is back in your court. How is Blazor capturing the user?

[roysurles]

@code {
[CascadingParameter] Task AuthenticationStateTask { get; set; }

protected ClaimsPrincipal User { get; set; }

protected override async Task OnInitializedAsync()
{
    User = (await AuthenticationStateTask.ConfigureAwait(false)).User;
}

}