Windows Auth Documentation Missing Data on Generated Identity

[iUnknwn]

The Windows Authentication documentation does not provide any information on how to access/use data from a user that was authenticated by Windows - there is no information about what identity/claims/roles are populated by default.

For example, if we wanted to allow members of a Windows group to access a controller, one user on StackOverflow claimed it should be possible to do:

[Authorize(Roles = "NAME OF ACTIVE DIRECTORY GROUP")]

But this isn't documented - there's no information in the docs that a Windows user's groups are transferred to roles (another user answering that SO question wrote a custom middleware to map user identities to AD groups). Similarly, there's no information if the user's own identity is a valid role. For example, it's unclear if this is legal:

[Authorize(Roles = "DOMAIN\USER")]

It would be great if the documentation could be expanded to provide more details on using the authenticated user's identity.

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: 401ad9a0-9e51-80a2-5846-82e9790d7257
• Version Independent ID: fbc36c26-9992-1f4c-66d3-02f898ee7ec4
• Content: Configure Windows Authentication in ASP.NET Core
• Content Source: aspnetcore/security/authentication/windowsauth.md
• Product: aspnet-core
• Technology: aspnetcore-security
• GitHub Login: @Rick-Anderson
• Microsoft Alias: riande

[Rick-Anderson]

Thank you for contacting us. Due to a lack of activity on this discussion issue we're closing it in an effort to keep our backlog manageable. If you believe there is a concern which hasn't been addressed, please file a new issue.

[iUnknwn]

Please re-open - this still appears to be not covered in the documentation. @Rick-Anderson

[iUnknwn]

@Rick-Anderson - can you share the commit where this was fixed? Looking at the history for windowsauth.md I don't see any updates.