The Variables in "RestrictedADGroups" and "AllowedADGroups" in appsettings.json aren't being honored.

[LeftShoeAT2ShoesDE]

PassCore Server

• OS: Windows Server 2008R2
• Provider: Active Directory
• Settings file (without sensitive information):
  appsettings.json.txt

Describe the bug
The Variables in RestrictedADGroups and AllowedADGroups in
[IIS_ROOT]\PassCore\appsettings.json
aren't being honored. I can, without failure, change any domain-admin passwords I like (given I know the origianal PW of course), even though only the members of the AD-Group "ExternalUsers" should be allowed to update their passwords. Please analyse my settings an tell me if I missed something.

To Reproduce
Steps to reproduce the behavior:
normal use

Expected behavior
only allow users that are members of the AD-Group "ExternalUsers"

Screenshots
NOT APPLICABLE

Desktop (please complete the following information):

• OS: Windows 10 1903, Mac OsX
• Browser MS EDGE, Opera, safari in Mac OsX
• Version Windows 10 1903, Mac OsX 10.14.6

Additional context
Add any other context about the problem here.

[geoperez]

Your settings look fine. Let me take a look in the code.

[LeftShoeAT2ShoesDE]

I thank you very much

[geoperez]

Are you running the Windows provider or LDAP (Linux) Provider?

[LeftShoeAT2ShoesDE]

Windows 2008r2 On Wed, Sep 18, 2019 at 5:29 PM +0200, "Geovanni Perez" <notifications@github.com> wrote: Are you running the Windows provider or LDAP (Linux) Provider?

[LeftShoeAT2ShoesDE]

Good day Señior Perez, any updates on this issue?

I would greatly appreciate an update.

[geoperez]

Hi, we did some testing on our end, buy @Serk352 was not able to reproduce. I'm going to give a try again by myself.

[geoperez]

Quick question, can you post the log file? Sometimes the AD is not returning properly the user's groups and this might bypass the groups check.

[LeftShoeAT2ShoesDE]

Which log do you need and where may I locate it?

[geoperez]

You may need to activate, check step 9 https://github.com/unosquare/passcore#installation-on-iis

[geoperez]

Did you get the logs?

[LeftShoeAT2ShoesDE]

HI sorry for the delay: here is the relevant part of the log

info: Microsoft.AspNetCore.Hosting.Internal.WebHost[1]
      Request starting HTTP/1.1 POST http://[URL]/PassCore/api/password application/json 117
info: Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker[1]
      Route matched with {action = "Post", controller = "Password"}. Executing action Unosquare.PassCore.Web.Controllers.PasswordController.Post (Unosquare.PassCore.Web)
info: Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker[1]
      Executing action method Unosquare.PassCore.Web.Controllers.PasswordController.Post (Unosquare.PassCore.Web) with arguments (Unosquare.PassCore.Web.Models.ChangePasswordModel) - Validation state: Valid
info: Unosquare.PassCore.PasswordProvider.PasswordChangeProvider[0]
      PerformPasswordChange for user adm-passcore
warn: Unosquare.PassCore.PasswordProvider.PasswordChangeProvider[0]
      Using AutomaticContext
fail: Unosquare.PassCore.PasswordProvider.PasswordChangeProvider[888]
      ValidateGroups
Unosquare.PassCore.Common.ApiErrorException: Error Code: ChangeNotPermitted
**The User principal is listed as restricted**
   at Unosquare.PassCore.PasswordProvider.PasswordChangeProvider.ValidateGroups(UserPrincipal userPrincipal) in C:\Unosquare\passcore\src\Unosquare.PassCore.PasswordProvider\PasswordChangeProvider.cs:line 144
dbug: Unosquare.PassCore.PasswordProvider.PasswordChangeProvider[0]
      **The User principal password updated with setPassword**
info: Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker[2]
      Executed action method Unosquare.PassCore.Web.Controllers.PasswordController.Post (Unosquare.PassCore.Web), returned result Microsoft.AspNetCore.Mvc.JsonResult in 1363.5664ms.
info: Microsoft.AspNetCore.Mvc.Formatters.Json.Internal.JsonResultExecutor[1]
      Executing JsonResult, writing value of type 'Unosquare.PassCore.Web.Models.ApiResult'.
info: Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker[2]
      Executed action Unosquare.PassCore.Web.Controllers.PasswordController.Post (Unosquare.PassCore.Web) in 1480.5211ms
info: Microsoft.AspNetCore.Hosting.Internal.WebHost[2]
      Request finished in 1499.7316ms 200 application/json; charset=utf-8

is there a setting to route the POST-Request over HTTPS?

[geoperez]

I did some changes to the group validation check. Can you check the latest version, please?

[geoperez]

Status?

[LeftShoeAT2ShoesDE]

Sorry, I unfortunately had more pressing issues to attend to. I'll look into updating this by Friday and will report my findings when I do.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.