I primarily use this to leverage integrated(Kerberos/Negotiate) authentication from Windows. One early thing I needed do to was map a user’s AD groups to ServiceStack Roles. Initially, I extended the LoadUserAuthInfo function to do an AD lookup to groups, then dump the list of groups to the user’s AuthUserSession.Roles. This, while a common way people do AD authorization outside of Windows, is a bit expensive because of the LDAP lookup for every auth request. The original IIS request does contain the Kerberos ticket (with the AD groups already burned into the ticket), but I couldn’t get the request without subclassing AspNetWindowsAuthProvider:
public class CustomWindowsAuthProvider : AspNetWindowsAuthProvider
public CustomWindowsAuthProvider(IAppHost appHost) : base(appHost)
public override IHttpResult OnAuthenticated(IServiceBase authService, IAuthSession session, IAuthTokens tokens, Dictionary<string, string> authInfo)
var request = authService.Request.OriginalRequest as System.Web.HttpRequestWrapper;
using (WindowsIdentity userId = request?.LogonUserIdentity)
List roles = new List();
if (userId?.Groups != null)
foreach (var group in userId.Groups)
// Remove the domain name from the name of the group, if it has it, and you don’t need it.
var groupName = new SecurityIdentifier(group.Value).Translate(typeof(NTAccount)).ToString();
groupName = groupName.Split(’\’);
session.Roles = roles;
return base.OnAuthenticated(authService, session, tokens, authInfo);
It would be nice if something similar to the above was burned into the base AspNetAuthProvider. (I’m not sure if the above works for all scenarios).
- Give an IIS setup with integrated authentication, how does the .NET SSE client authenticate? I didn’t see a Credentials property for the SSE client.