Map asp.net core 2.0 Identity to existing DB schema

[Misanthrop87]

I have built a small web application with asp.net core 2.0 MVC. In this web application, I did not implement any authentication methods so far.

Right now I have an MSSQL database running in the background and I can add/view/edit/delete users from the database. I adapted the following tutorial: https://www.c-sharpcorner.com/article/crud-operation-with-asp-net-core-mvc-web-app-using-ado-net/ and followed it pretty closely. However I also added some functionality like localization and stuff, and everything is running pretty smoothly.

My next goal is to enable authentication and authorization. The authentication part shall be straightforward. The goal is that the application will be running as an intranet solution. This means the authentication method just shall check if the Windows User is existing in the previously mentioned database. I don't want to create a separate login. However, it might be that there is a Windows user in the active directory, which is not part of the database. This User should just be able to see a default error page.

I made quite a huge research and I also tried a lot of different stuff, however, I do absolutely not find any "database first" tutorial for this part or any other documentation which explains what to do.

I actually "just" want to teach the asp.net core 2.0 identity framework that it shall look into my user-table and check if the current windows user is existent and if not to forward him to the error page. A second step would be to load all the roles which this user is assigned to from the mapping table.

Any kind of help would be highly appreciated.

[blowdart]

You don't need ASP.NET Identity for this. You could just use the cookie auth pieces directly if all you want is authn, this is probably easier for the scenario you describe.

[datobu]

I just implemented a check if the AD username is in my user table in a middle ware and it seems to work pretty well. Tomorrow I will have a look on how to read the roles of the user out of the database... I guess I do need Identity for that, don't I?

Oh interesting I used another Useraccount at work, didn't know I have two. Sorry for that (I am Misanthrop87)

[blowdart]

Oh I see, you're enhancing AD. So ... if that's the case, why not use AD for the roles? That's what it's there for. Generally IT departments end up getting really upset when an app rolls its own roles (no pun intended) because that moves away from the whole point of having a centrally managed user infrastructure.

[Misanthrop87]

I tend to agree, however there exist 2 reasons which I don't really know how to argument against: -This intranet will include a ton of different IT-Systems which consist of different modules and I guess hundreds of different roles will therefore exist. The IT team so far says this will be a lot of AD-groups and they don't like it. -As we are a bigger firm, I am not sure whether our internal IT-department has the necessary rights to manage the AD-groups. And to avoid a lot of over-administration the current plan is to have the user & role management in a seperate db.

But I will talk to the project-team again and suggest that we go for the AD-groups solution because I think the advantages heavily outweigh those arguments. Is there a tutorial for having windows authentication and load the groups from the AD and use them as roles?

[Misanthrop87]

I just found out that it works out of the box, when windows authentication is activated it takes the AD groups and imports them as roles... Unbelievable! But this should be written somewhere more obviously, as I was searching several hours on the internet, not noticing that it was already working...

[blowdart]

Oh! @Rick-Anderson doc suggestion for you :)

[blowdart]

If you want your own local database, I'd stick with no identity and integrated auth, then use DI to inject your role provider into the policy handlers. You would avoid a bunch of overhead from identity you don't honestly need.

[blowdart]

We're closing this issue as no response or updates have been provided in a timely manner. If you have more details and are encountering this issue please add a new reply and re-open the issue.