How do I check if user is in domain group which has access to the resource?

Question

0.00/5 (No votes)

See more:

My application has basic authentication and runs under Application pool Integrated-Network service.
Web Config file has list of domain groups (office\admin,office\sales), defined which has access to the some file resource.
How do i check if user belongs to those groups or not and decide if he can read access those resource.

If you look down at my code,
line

var userGroups = context.Request.LogonUserIdentity.Groups;

returns {s-#-##-###} kind of group.

and line below

hasPermission = userGroups.Contains(account.Translate(typeof(SecurityIdentifier)));//throws exception

An exception of type 'System.Security.Principal.IdentityNotMappedException' occurred in mscorlib.dll but was not handled in user code

Additional information: Some or all identity references could not be translated.

What I have tried:

public void ProcessRequest(HttpContext context)
      {
          //Get a collection of Groups the user belongs to
          var userGroups = context.Request.LogonUserIdentity.Groups;

          if (userGroups.Count > 0)
          {
              if (HasPermision(userGroups))
              {
                  string urlRequested = context.Request.RawUrl.ToLower();
                  string fileName = Path.GetFileName(urlRequested);
                  string fileServer = collection["FileServer"];
                  var filePath = (fileServer + urlRequested.Replace("/", "\\"));
                  var fileExtension = urlRequested.Substring(urlRequested.LastIndexOf(".", System.StringComparison.Ordinal) + 1);

                  try
                  {
                      context.Response.Write("do some works...");
                  }
                  catch (Exception ex)
                  {
                      throw new Exception(ex.Message);
                  }
              }
          }
          else
          {
              context.Response.StatusCode = 403;
              context.Response.Flush();
          }
      }

      public bool HasPermision(IdentityReferenceCollection userGroups)
      {
          bool hasPermission = false;

          //The security group you want to check the user belongs to
          NTAccount account;

          // get authorized groups from config files
          string[] authorizedGroups = collection["AuthorizedGroups"].Replace(" ", "").ToUpper().Split(',');

          foreach (var group in authorizedGroups)
          {
              account = new NTAccount(group);

              // Check if user is in the groups
              hasPermission = userGroups.Contains(account.Translate(typeof(SecurityIdentifier)));//throws exception
              if (hasPermission)
                  return hasPermission;
          }
          return hasPermission;
      }

Posted 19-Dec-17 4:43am

s23user

Updated 20-Dec-17 10:43am

Add a Solution

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

an0ther1 · Answer 1 · 2017-12-20T10:43:00

Get the page user, the below code works fine for me;

C#

System.Security.Principal.WindowsPrincipal pageUser = User as System.Security.Principal.WindowsPrincipal;

Check if the User is in a specific security group;

C#

if(pageUser.IsInRole(@"Domain\Security Group Name"))
{
    // User is in the security group
}
else
{
    // user is not in the security group
}

Works for Domain or Local Machine accounts

Kind Regards