From 51167edb2a6ae4d571e66aa641da34dfe4c7ad25 Mon Sep 17 00:00:00 2001 From: guardrex <1622880+guardrex@users.noreply.github.com> Date: Wed, 12 Feb 2025 11:56:45 -0500 Subject: [PATCH 1/7] BWA with WinAuth article --- .../security/blazor-web-app-with-entra.md | 2 +- .../security/blazor-web-app-with-oidc.md | 2 +- ...zor-web-app-with-windows-authentication.md | 83 +++++++++++++++++++ aspnetcore/toc.yml | 2 + 4 files changed, 87 insertions(+), 2 deletions(-) create mode 100644 aspnetcore/blazor/security/blazor-web-app-with-windows-authentication.md diff --git a/aspnetcore/blazor/security/blazor-web-app-with-entra.md b/aspnetcore/blazor/security/blazor-web-app-with-entra.md index 7dec9b1d4b1e..1e6b5bd4315f 100644 --- a/aspnetcore/blazor/security/blazor-web-app-with-entra.md +++ b/aspnetcore/blazor/security/blazor-web-app-with-entra.md @@ -1,7 +1,7 @@ --- title: Secure an ASP.NET Core Blazor Web App with Microsoft Entra ID author: guardrex -description: Learn how to secure a Blazor WebAssembly App with Microsoft Entra ID. +description: Learn how to secure a Blazor Web App with Microsoft Entra ID. monikerRange: '>= aspnetcore-9.0' ms.author: riande ms.custom: mvc diff --git a/aspnetcore/blazor/security/blazor-web-app-with-oidc.md b/aspnetcore/blazor/security/blazor-web-app-with-oidc.md index a3e4ef3b6bf4..eae9fe581cfb 100644 --- a/aspnetcore/blazor/security/blazor-web-app-with-oidc.md +++ b/aspnetcore/blazor/security/blazor-web-app-with-oidc.md @@ -1,7 +1,7 @@ --- title: Secure an ASP.NET Core Blazor Web App with OpenID Connect (OIDC) author: guardrex -description: Learn how to secure a Blazor WebAssembly App with OpenID Connect (OIDC). +description: Learn how to secure a Blazor Web App with OpenID Connect (OIDC). monikerRange: '>= aspnetcore-8.0' ms.author: riande ms.custom: mvc diff --git a/aspnetcore/blazor/security/blazor-web-app-with-windows-authentication.md b/aspnetcore/blazor/security/blazor-web-app-with-windows-authentication.md new file mode 100644 index 000000000000..f2cceddb7717 --- /dev/null +++ b/aspnetcore/blazor/security/blazor-web-app-with-windows-authentication.md @@ -0,0 +1,83 @@ +--- +title: Secure an ASP.NET Core Blazor Web App with Windows Authentication +author: guardrex +description: Learn how to secure a Blazor Web App with Windows Authentication. +monikerRange: '>= aspnetcore-9.0' +ms.author: riande +ms.custom: mvc +ms.date: 02/12/2025 +uid: blazor/security/blazor-web-app-windows-authentication +--- +# Secure an ASP.NET Core Blazor Web App with Windows Authentication + +[!INCLUDE[](~/includes/not-latest-version-without-not-supported-content.md)] + +This article describes how to secure a Blazor Web App with [Windows Authentication]() using a sample app in the [`dotnet/blazor-samples` GitHub repository (.NET 9 or later)](https://github.com/dotnet/blazor-samples) ([how to download](xref:blazor/fundamentals/index#sample-apps)). + +Specification for the Blazor Web App: + +* [Server render mode with global interactivity](xref:blazor/components/render-modes) +* Establishes an [authorization policy](xref:security/authorization/policies) for a [Windows security identifier](/windows-server/identity/ad-ds/manage/understand-security-identifiers) to access a secure page. + +## Sample app + +Access the sample app through the latest version folder from the repository's root with the following link. The project is in the `BlazorWebAppWinAuthServer` folder for .NET 9 or later. + +[View or download sample code](https://github.com/dotnet/blazor-samples) ([how to download](xref:blazor/fundamentals/index#sample-apps)) + +## Configuration + +This app requires no configuration to run locally. + +When deployed to a host, such as IIS, the app must adopt impersonation to run under the user's account. For more information, see . + +### Sample app code + +Inspect the `Program` file in the sample app for the following features. + + is called using the authentication scheme. configures the to use Negotiate (also known as Windows, Kerberos, or NTLM) authentication. This authentication handler supports Kerberos on Windows and Linux servers: + +```csharp +builder.Services.AddAuthentication(NegotiateDefaults.AuthenticationScheme) + .AddNegotiate(); +``` + + adds authorization policy services, setting the to the default policy (), which defaults to require authenticated users to access the app. + +```csharp +builder.Services.AddAuthorization(options => +{ + options.FallbackPolicy = options.DefaultPolicy; +}); +``` + + adds cascading authentication state to the service collection. This is equivalent to having a `CascadingAuthenticationState` component at the root of the app's component hierarchy: + +```csharp +builder.Services.AddCascadingAuthenticationState(); +``` + +An [authorization policy](xref:security/authorization/policies) is added for a [Windows security identifier](/windows-server/identity/ad-ds/manage/understand-security-identifiers): + +```csharp +builder.Services.AddAuthorizationBuilder() + .AddPolicy("LocalAccount", policy => + policy.RequireClaim( + "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", + "S-1-5-113")); +``` + +The authorization policy is enforced by the `LocalAccountOnly` component (path: `/local-account-only`): + +```razor +@page "/local-account-only" +@using Microsoft.AspNetCore.Authorization +@attribute [Authorize("LocalAccount")] +``` + +The `UserClaims` component lists the user's claims, which includes the user's Windows security identifiers (SIDs). + +## Additional resources + +* +* [Security identifiers (Windows Server documentation)](/windows-server/identity/ad-ds/manage/understand-security-identifiers) diff --git a/aspnetcore/toc.yml b/aspnetcore/toc.yml index ce4f7b10c395..7fd6fb4cf4e3 100644 --- a/aspnetcore/toc.yml +++ b/aspnetcore/toc.yml @@ -619,6 +619,8 @@ items: - name: Blazor Web App with OIDC uid: blazor/security/blazor-web-app-oidc - name: Static server-side rendering threats + - name: Blazor Web App with Windows Auth + uid: blazor/security/blazor-web-app-windows-authentication uid: blazor/security/static-server-side-rendering - name: Interactive server-side rendering threats uid: blazor/security/interactive-server-side-rendering From 673e3dea905f1d18d514d6ed8602ca3e1f1cbc94 Mon Sep 17 00:00:00 2001 From: guardrex <1622880+guardrex@users.noreply.github.com> Date: Wed, 12 Feb 2025 12:38:42 -0500 Subject: [PATCH 2/7] Updates --- .../security/blazor-web-app-with-windows-authentication.md | 4 ++++ aspnetcore/toc.yml | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/aspnetcore/blazor/security/blazor-web-app-with-windows-authentication.md b/aspnetcore/blazor/security/blazor-web-app-with-windows-authentication.md index f2cceddb7717..53582d8c55bf 100644 --- a/aspnetcore/blazor/security/blazor-web-app-with-windows-authentication.md +++ b/aspnetcore/blazor/security/blazor-web-app-with-windows-authentication.md @@ -10,8 +10,12 @@ uid: blazor/security/blazor-web-app-windows-authentication --- # Secure an ASP.NET Core Blazor Web App with Windows Authentication + + This article describes how to secure a Blazor Web App with [Windows Authentication]() using a sample app in the [`dotnet/blazor-samples` GitHub repository (.NET 9 or later)](https://github.com/dotnet/blazor-samples) ([how to download](xref:blazor/fundamentals/index#sample-apps)). Specification for the Blazor Web App: diff --git a/aspnetcore/toc.yml b/aspnetcore/toc.yml index 7fd6fb4cf4e3..603181cc0510 100644 --- a/aspnetcore/toc.yml +++ b/aspnetcore/toc.yml @@ -618,9 +618,9 @@ items: uid: blazor/security/blazor-web-app-entra - name: Blazor Web App with OIDC uid: blazor/security/blazor-web-app-oidc - - name: Static server-side rendering threats - name: Blazor Web App with Windows Auth uid: blazor/security/blazor-web-app-windows-authentication + - name: Static server-side rendering threats uid: blazor/security/static-server-side-rendering - name: Interactive server-side rendering threats uid: blazor/security/interactive-server-side-rendering From 86bf3b7155d886e32ba54e1e90bb8da48b9aaf33 Mon Sep 17 00:00:00 2001 From: guardrex <1622880+guardrex@users.noreply.github.com> Date: Thu, 13 Feb 2025 08:57:22 -0500 Subject: [PATCH 3/7] Updates --- ...zor-web-app-with-windows-authentication.md | 72 ++++++++++++++++--- 1 file changed, 61 insertions(+), 11 deletions(-) diff --git a/aspnetcore/blazor/security/blazor-web-app-with-windows-authentication.md b/aspnetcore/blazor/security/blazor-web-app-with-windows-authentication.md index 53582d8c55bf..f0c142f916f7 100644 --- a/aspnetcore/blazor/security/blazor-web-app-with-windows-authentication.md +++ b/aspnetcore/blazor/security/blazor-web-app-with-windows-authentication.md @@ -5,7 +5,7 @@ description: Learn how to secure a Blazor Web App with Windows Authentication. monikerRange: '>= aspnetcore-9.0' ms.author: riande ms.custom: mvc -ms.date: 02/12/2025 +ms.date: 02/13/2025 uid: blazor/security/blazor-web-app-windows-authentication --- # Secure an ASP.NET Core Blazor Web App with Windows Authentication @@ -16,11 +16,11 @@ uid: blazor/security/blazor-web-app-windows-authentication --> -This article describes how to secure a Blazor Web App with [Windows Authentication]() using a sample app in the [`dotnet/blazor-samples` GitHub repository (.NET 9 or later)](https://github.com/dotnet/blazor-samples) ([how to download](xref:blazor/fundamentals/index#sample-apps)). +This article describes how to secure a Blazor Web App with [Windows Authentication](/windows-server/security/windows-authentication/windows-authentication-overview) using a sample app in the [`dotnet/blazor-samples` GitHub repository (.NET 9 or later)](https://github.com/dotnet/blazor-samples) ([how to download](xref:blazor/fundamentals/index#sample-apps)). -Specification for the Blazor Web App: +The app specification for the Blazor Web App: -* [Server render mode with global interactivity](xref:blazor/components/render-modes) +* Adopts the [Interactive Server render mode with global interactivity](xref:blazor/components/render-modes). * Establishes an [authorization policy](xref:security/authorization/policies) for a [Windows security identifier](/windows-server/identity/ad-ds/manage/understand-security-identifiers) to access a secure page. ## Sample app @@ -31,22 +31,22 @@ Access the sample app through the latest version folder from the repository's ro ## Configuration -This app requires no configuration to run locally. +The sample app doesn't require configuration to run locally. When deployed to a host, such as IIS, the app must adopt impersonation to run under the user's account. For more information, see . ### Sample app code -Inspect the `Program` file in the sample app for the following features. +Inspect the `Program` file in the sample app for the following API calls. - is called using the authentication scheme. configures the to use Negotiate (also known as Windows, Kerberos, or NTLM) authentication. This authentication handler supports Kerberos on Windows and Linux servers: + is called using the authentication scheme. configures the to use Negotiate (also known as Windows, Kerberos, or NTLM) authentication, and the authentication handler supports Kerberos on Windows and Linux servers: ```csharp builder.Services.AddAuthentication(NegotiateDefaults.AuthenticationScheme) .AddNegotiate(); ``` - adds authorization policy services, setting the to the default policy (), which defaults to require authenticated users to access the app. + adds authorization policy services, setting the to the default policy (), which defaults to require authenticated users to access the app: ```csharp builder.Services.AddAuthorization(options => @@ -55,13 +55,13 @@ builder.Services.AddAuthorization(options => }); ``` - adds cascading authentication state to the service collection. This is equivalent to having a `CascadingAuthenticationState` component at the root of the app's component hierarchy: + adds cascading authentication state to the service collection. This is equivalent to placing a `CascadingAuthenticationState` component at the root of the app's component hierarchy: ```csharp builder.Services.AddCascadingAuthenticationState(); ``` -An [authorization policy](xref:security/authorization/policies) is added for a [Windows security identifier](/windows-server/identity/ad-ds/manage/understand-security-identifiers): +An [authorization policy](xref:security/authorization/policies) is added for a [Windows security identifier (SID)](/windows-server/identity/ad-ds/manage/understand-security-identifiers). The `S-1-5-113` well-known SID in the following example indicates that the user is a local account, which restricts network sign-in to local accounts instead of "administrator" or equivalent accounts: ```csharp builder.Services.AddAuthorizationBuilder() @@ -71,16 +71,66 @@ builder.Services.AddAuthorizationBuilder() "S-1-5-113")); ``` -The authorization policy is enforced by the `LocalAccountOnly` component (path: `/local-account-only`): +The authorization policy is enforced by the `LocalAccountOnly` component. + +`Components/Pages/LocalAccountOnly.razor`: ```razor @page "/local-account-only" @using Microsoft.AspNetCore.Authorization @attribute [Authorize("LocalAccount")] + +

Local Account Only

+ +

+ You can only reach this page by satisfying the + LocalAccount authorization policy. +

``` The `UserClaims` component lists the user's claims, which includes the user's Windows security identifiers (SIDs). +`Components/Pages/UserClaims.razor`: + +```razor +@page "/user-claims" +@using System.Security.Claims +@using Microsoft.AspNetCore.Authorization +@attribute [Authorize] + +User Claims + +

User Claims

+ +@if (claims.Any()) +{ +
    + @foreach (var claim in claims) + { +
  • @claim.Type: @claim.Value
    • + } +
+} + +@code { + private IEnumerable claims = []; + + [CascadingParameter] + private Task? AuthState { get; set; } + + protected override async Task OnInitializedAsync() + { + if (AuthState == null) + { + return; + } + + var authState = await AuthState; + claims = authState.User.Claims; + } +} +``` + ## Additional resources * From f572ef7d56babf4146a991ce02a8baf2846b3a01 Mon Sep 17 00:00:00 2001 From: Luke Latham <1622880+guardrex@users.noreply.github.com> Date: Thu, 13 Feb 2025 16:36:32 -0500 Subject: [PATCH 4/7] Update aspnetcore/blazor/security/blazor-web-app-with-windows-authentication.md --- .../security/blazor-web-app-with-windows-authentication.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aspnetcore/blazor/security/blazor-web-app-with-windows-authentication.md b/aspnetcore/blazor/security/blazor-web-app-with-windows-authentication.md index f0c142f916f7..9214aeb8d999 100644 --- a/aspnetcore/blazor/security/blazor-web-app-with-windows-authentication.md +++ b/aspnetcore/blazor/security/blazor-web-app-with-windows-authentication.md @@ -29,7 +29,7 @@ Access the sample app through the latest version folder from the repository's ro [View or download sample code](https://github.com/dotnet/blazor-samples) ([how to download](xref:blazor/fundamentals/index#sample-apps)) -## Configuration +### Configuration The sample app doesn't require configuration to run locally. From 85c357039f1a4d9a95c2b16cb56549eb066960ed Mon Sep 17 00:00:00 2001 From: guardrex <1622880+guardrex@users.noreply.github.com> Date: Thu, 13 Feb 2025 16:39:26 -0500 Subject: [PATCH 5/7] Updates --- .../blazor-web-app-with-windows-authentication.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/aspnetcore/blazor/security/blazor-web-app-with-windows-authentication.md b/aspnetcore/blazor/security/blazor-web-app-with-windows-authentication.md index 9214aeb8d999..64ba76cf4fe9 100644 --- a/aspnetcore/blazor/security/blazor-web-app-with-windows-authentication.md +++ b/aspnetcore/blazor/security/blazor-web-app-with-windows-authentication.md @@ -16,7 +16,7 @@ uid: blazor/security/blazor-web-app-windows-authentication --> -This article describes how to secure a Blazor Web App with [Windows Authentication](/windows-server/security/windows-authentication/windows-authentication-overview) using a sample app in the [`dotnet/blazor-samples` GitHub repository (.NET 9 or later)](https://github.com/dotnet/blazor-samples) ([how to download](xref:blazor/fundamentals/index#sample-apps)). +This article describes how to secure a Blazor Web App with [Windows Authentication](/windows-server/security/windows-authentication/windows-authentication-overview) using a sample app in the [`dotnet/blazor-samples` GitHub repository (.NET 9 or later)](https://github.com/dotnet/blazor-samples) ([how to download](xref:blazor/fundamentals/index#sample-apps)). For more information, see . The app specification for the Blazor Web App: @@ -29,13 +29,13 @@ Access the sample app through the latest version folder from the repository's ro [View or download sample code](https://github.com/dotnet/blazor-samples) ([how to download](xref:blazor/fundamentals/index#sample-apps)) -### Configuration +## Configuration The sample app doesn't require configuration to run locally. -When deployed to a host, such as IIS, the app must adopt impersonation to run under the user's account. For more information, see . +When deployed to a host, such as IIS, the app must adopt impersonation to run under the user's account. For more information, see . -### Sample app code +## Sample app code Inspect the `Program` file in the sample app for the following API calls. From 25dcfcd86aa91e4b7d3129a9b3ed3884ee94767f Mon Sep 17 00:00:00 2001 From: guardrex <1622880+guardrex@users.noreply.github.com> Date: Fri, 14 Feb 2025 06:59:34 -0500 Subject: [PATCH 6/7] Updates --- .../security/blazor-web-app-with-windows-authentication.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aspnetcore/blazor/security/blazor-web-app-with-windows-authentication.md b/aspnetcore/blazor/security/blazor-web-app-with-windows-authentication.md index 64ba76cf4fe9..f311c0125862 100644 --- a/aspnetcore/blazor/security/blazor-web-app-with-windows-authentication.md +++ b/aspnetcore/blazor/security/blazor-web-app-with-windows-authentication.md @@ -46,7 +46,7 @@ builder.Services.AddAuthentication(NegotiateDefaults.AuthenticationScheme) .AddNegotiate(); ``` - adds authorization policy services, setting the to the default policy (), which defaults to require authenticated users to access the app: + adds authorization policy services. sets the fallback authorization policy, which is set to the default policy (). The default policy requires an authenticated user to access the app: ```csharp builder.Services.AddAuthorization(options => From 72621fdfe011b12ea17b7051997502aa1e8ae46b Mon Sep 17 00:00:00 2001 From: guardrex <1622880+guardrex@users.noreply.github.com> Date: Tue, 25 Mar 2025 13:50:35 -0400 Subject: [PATCH 7/7] Updates --- .../security/blazor-web-app-with-windows-authentication.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/aspnetcore/blazor/security/blazor-web-app-with-windows-authentication.md b/aspnetcore/blazor/security/blazor-web-app-with-windows-authentication.md index f311c0125862..01fd64130188 100644 --- a/aspnetcore/blazor/security/blazor-web-app-with-windows-authentication.md +++ b/aspnetcore/blazor/security/blazor-web-app-with-windows-authentication.md @@ -5,7 +5,7 @@ description: Learn how to secure a Blazor Web App with Windows Authentication. monikerRange: '>= aspnetcore-9.0' ms.author: riande ms.custom: mvc -ms.date: 02/13/2025 +ms.date: 03/25/2025 uid: blazor/security/blazor-web-app-windows-authentication --- # Secure an ASP.NET Core Blazor Web App with Windows Authentication @@ -16,7 +16,7 @@ uid: blazor/security/blazor-web-app-windows-authentication --> -This article describes how to secure a Blazor Web App with [Windows Authentication](/windows-server/security/windows-authentication/windows-authentication-overview) using a sample app in the [`dotnet/blazor-samples` GitHub repository (.NET 9 or later)](https://github.com/dotnet/blazor-samples) ([how to download](xref:blazor/fundamentals/index#sample-apps)). For more information, see . +This article describes how to secure a Blazor Web App with [Windows Authentication](/windows-server/security/windows-authentication/windows-authentication-overview) using a sample app. For more information, see . The app specification for the Blazor Web App: @@ -25,7 +25,7 @@ The app specification for the Blazor Web App: ## Sample app -Access the sample app through the latest version folder from the repository's root with the following link. The project is in the `BlazorWebAppWinAuthServer` folder for .NET 9 or later. +Access the sample through the latest version folder in the Blazor samples repository with the following link. The sample is in the `BlazorWebAppWinAuthServer` folder for .NET 9 or later. [View or download sample code](https://github.com/dotnet/blazor-samples) ([how to download](xref:blazor/fundamentals/index#sample-apps))