While looking at the code, I noticed that groups for a user are retrieved using the NetUserGetGroups function. From testing I've done, I've noticed that this only retrieves groups the user is directly assigned, and it will not retrieve groups the user is indirectly assigned, such as groups containing groups containing the user. Also, NetUserGetGroups requires providing the server name of a DC in order to get the groups of a domain user.

With some experimenting, I found that the groups can be obtained from the CtxtHandle. By using QueryContextAttributes passing the SECPKG_ATTR_ACCESS_TOKEN attribute (value 18), an SecPkgContext_AccessToken value is returned, which contains an access token, which can be passed to GetTokenInformation using the TokenGroups class, which results in TOKEN_GROUPS value.

The TOKEN_GROUPS value will contain an array of group SIDs and attributes assigned, and, by filtering the groups to only include those containing an attribute bit flag SE_GROUP_ENABLED, and using LookupAccountSid, a list of group names can be achieved.

Given this amount of work, I would have wanted to instead include a pull request. However, this is the first time I'm writing any Go code, I wasn't really able to make any progress except by using the helper functions defined in golang.org/x/sys/windows, and I was only able to make it work by removing tests (rather than augmenting and modifying the tests to work with the updated code). If you would still like to see the changes I made to help clarify the above description of work, I can make that available.

Create an example that shows how to print the names of the groups the user is a member of.

Every time I try to upload a file larger than ~2.5Mb to my webapp, websspi logs the following error message and stops execution:

2023/06/05 11:31:51 Authenticating request to ...
2023/06/05 11:31:51 Authentication failed with error: could not get auth data: the Authorization header is not provided

With smaller files, it works prefectly.

It might be desirable adding a configuration parameter to do group lookup over the TokenLinkedToken. This contains the "elevated" token, if the UAC filtered the direct token.

Using the default, filtered token (as introduced by this PR) should remain the default, as this is the default for Windows applications (e.g. when using Powershell Remoting). At the same time, if developers want to e.g. allow login depending on administrative rights, using the linked token might be useful.

Shall I open a new PR for:

1. Improved documentation, describing why groups might be missing and differences between previous lookup.
2. A configuration parameter for toggling between using the regular and the linked token.

Oh, and I could do #4 at the same time.

Hi, quasoft!
It's not an issue, but a question.
It is possible to get only the user name and do not perform auth? I do not have access to domain controller and can't add user to AD.