You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
* Add LDAP lookup config examples
Add LDAP lookup config examples for RC2
* Update aspnetcore/security/authentication/windowsauth.md
Take some rick bits
Co-authored-by: Rick Anderson <3605364+Rick-Anderson@users.noreply.github.com>
* Update aspnetcore/security/authentication/windowsauth.md
Take Chris over Rick
Co-authored-by: Chris Ross <Tratcher@Outlook.com>
* Update aspnetcore/security/authentication/windowsauth.md
Co-authored-by: Rick Anderson <3605364+Rick-Anderson@users.noreply.github.com>
Co-authored-by: Rick Anderson <3605364+Rick-Anderson@users.noreply.github.com>
Co-authored-by: Chris Ross <Tratcher@Outlook.com>
Copy file name to clipboardExpand all lines: aspnetcore/security/authentication/windowsauth.md
+32-2Lines changed: 32 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -152,7 +152,7 @@ The [Microsoft.AspNetCore.Authentication.Negotiate](https://www.nuget.org/packag
152
152
> Credentials can be persisted across requests on a connection. *Negotiate authentication must not be used with proxies unless the proxy maintains a 1:1 connection affinity (a persistent connection) with Kestrel.*
153
153
154
154
> [!NOTE]
155
-
> The Negotiate handler detects if the underlying server supports Windows Authentication natively and if it's enabled. If the server supports Windows Authentication but it's disabled, an error is thrown asking you to enable the server implementation. When Windows Authentication is enabled in the server, the Negotiate handler transparently forwards to it.
155
+
> The Negotiate handler detects if the underlying server supports Windows Authentication natively and if it is enabled. If the server supports Windows Authentication but it is disabled, an error is thrown asking you to enable the server implementation. When Windows Authentication is enabled in the server, the Negotiate handler transparently forwards authentication requests to it.
156
156
157
157
Add authentication services by invoking <xref:Microsoft.Extensions.DependencyInjection.AuthenticationServiceCollectionExtensions.AddAuthentication*> and <xref:Microsoft.Extensions.DependencyInjection.NegotiateExtensions.AddNegotiate*> in `Startup.ConfigureServices`:
158
158
@@ -172,6 +172,36 @@ app.UseAuthentication();
172
172
173
173
For more information on middleware, see <xref:fundamentals/middleware/index>.
174
174
175
+
Kerberos authentication on Linux or macOS doesn't provide any role information for an authenticated user. To add role and group information to a Kerberos user, the authentication handler must be configured to retrieve the roles from an LDAP domain. The most basic configuration only specifies an LDAP domain to query against and will use the authenticated user's context to query the LDAP domain:
if (RuntimeInformation.IsOSPlatform(OSPlatform.Linux))
195
+
{
196
+
options.EnableLdap("contoso.com");
197
+
options.MachineAccountName="machineName";
198
+
options.MachineAccountPassword="PassW0rd";
199
+
}
200
+
});
201
+
```
202
+
203
+
By default, the negotiate authentication handler resolves nested domains. In a large or complicated LDAP environment, resolving nested domains may result in a slow lookup or a lot of memory being used for each user. Nested domain resolution can be disabled using the `IgnoreNestedGroups` option.
204
+
175
205
Anonymous requests are allowed. Use [ASP.NET Core Authorization](xref:security/authorization/introduction) to challenge anonymous requests for authentication.
176
206
177
207
### Windows environment configuration
@@ -280,4 +310,4 @@ When hosting with IIS in-process mode, <xref:Microsoft.AspNetCore.Authentication
0 commit comments