Accessing user details using Active Directory in an ASP.NET Core MVC app with Windows authentication

Question

I was trying to access user information like first name, last name of the user in my ASP.NET Core MVC project with Windows authentication. I actually make it work after searching for a solution on the web but I am quite new to this stuff and beginner level programmer so not understanding what is happening in the part that I just copy paste in my project.

I couldn't find any explanation in that website as well. I would be really happy if someone can explain this to me. Many thanks in advance.

The website reference for this code: https://sensibledev.com/how-to-get-user-details-from-active-directory/

Home controller:

var username = User.Identity.Name;

using (var context = new PrincipalContext(ContextType.Domain, "yourdomain"))
{
    var user = UserPrincipal.FindByIdentity(context, username);

    if (user != null)
    {
        ViewData["UserName"] = user.Name;
        ViewData["EmailAddress"] = user.EmailAddress;
        ViewData["FullName"] = user.DisplayName;
        ViewData["GivenName"] = user.GivenName;
    }
} 

Answer 1

That code takes the username of the user who logged into your website and looks it up on your domain to find more information about the person.

var username = User.Identity.Name;

The User property is ControllerBase.User, which refers to the user currently logged into your website. Since you're using Windows Authentication, this will refer to an Active Directory user. User.Identity.Name gets just the username.

The rest is for looking up the account in Active Directory.

new PrincipalContext(ContextType.Domain, "yourdomain")

This means "I want to talk to a domain called yourdomain".

UserPrincipal.FindByIdentity(context, username)

UserPrincipal.FindByIdentity finds an account on the domain. So this is saying "find this username on the domain".

Then the users details from the account are put into the ViewData collection so that the data is accessible in the view. More details on that here.

Answer 2

You get the security principle information using

var context = new PrincipalContext(ContextType.Domain, "yourdomain")

PrincipleContext is the class that has the information once you create a new instance of it, passing in parameters for the type of domain (an enumeration) and the name of your domain (a string).

The USING block ensures that the instance is disposed once the block completes - otherwise you have to call DISPOSE on that instance yourself (remember if there is an exception you might not have captured this so you will at least have to manage this scenario.

Once you have an instance of of your domain context you can use it to search (in the case of Windows, the LDAP database) for users, whether by SID or unique name, in your case (every name must be unique - two users in the domain cannot have the same name).

The website has the security ID of the user, the code you are following gets a Domain object for that user which has the properties you will display. You could call other objects that might tell you which Windows Security Groups the user is a member off. In that way you can have a web site where a users ability to view a web page or click a button is down to which Groups in the Domain the user is a member of.

Answer 3

From your website's perspective, all Windows code runs under some Windows account.

If you use IIS and Forms authentication for example, then Windows knows nothing about you - you are likely to be running under an anonymous account name which all users will run under. If you drill down through your running code, it is possible to find different Windows accounts at different code levels, such as in your top level code, the underlying IIS thread, etc.

You are trying to use Windows accounts for your web site but you have to ensure that the web server it is running on is also using Windows Authentication - I know you checked this option when creating your site.

Your user identity can be cast to various types because it has to work seamlessly whichever authentication methodology is in use. You can also check your user to see if it is of a particular security regime.

Have a look at https://learn.microsoft.com/en-us/aspnet/core/security/authentication/windowsauth?view=aspnetcore-3.1&tabs=visual-studio