Hello,
I am trying to get the windows authentication to work but my domain user is not evaluated correctly.
Do you know what to do?
You can try debugging the code in the ClaimsTransformation.cs file. It reads the groups which the current user belongs to. You can also try giving access only to michalcoblasa (without DS\).
Hello,
I tried a lot of combinations.
Where could I find the ClaimsTransformation.cs file?
Thank you
I just saw that you are using Angular so there is no ClaimsTransformation.cs file. You should check the AccountController.cs file (its Login method). It should be in the server/Controllers directory of your Radzen application. The following code reads the groups which the current user belongs to:
var groups = identity.Groups.Translate(typeof(NTAccount));
foreach (var group in groups)
{
subject.AddClaim(new Claim(ClaimTypes.Role, group.Value.Split("\\").Last()));
subject.AddClaim(new Claim(ClaimTypes.Role, group.Value));
}
Thank you.
I did the debug check of the AccountController.cs and the user name looks like "DS\michalkoblasa".
When i tried to use it for access restriction:
It was recognized as unauthorized.
The permission should work with the user group or also through the user name?
Sorry formatting removed two slashes in the user name it is: DS\\michalkoblasa
Security currently checks the groups only (available as roles and checked via the isInRole method in security.service.ts). It does not check for user name. Here is how the complete implementation looks like:
canActivate(roles: string[], state: RouterStateSnapshot) {
if (this.isAuthenticated()) {
if (this.isInRole(roles)) {
return true;
} else {
this.router.navigateByUrl('/unauthorized');
}
} else {
return this.login().toPromise().then(() => {
return this.isInRole(roles);
});
}
}
You can probably modify this code by adding security.service.ts to Radzen's code generation ignore list so it checks for user name too. The latter is available as this.user.name in the SecurityService class.
1 Like