Wally Hartshorn Wally Hartshorn - 1 month ago 11
ASP.NET (C#) Question

Windows Authentication with Active Directory Groups

I have a small project, built using Visual Studio 2013, .NET 4.5, MVC 5, and EF 6. I created it using Windows authentication, but now I need to check for membership in an Active Directory group to allow or deny access.

I've gone down many VERY deep rabbit holes, attempting to find out how to do this. At first I presumed that I would need to change the project to use "On-Premises" authentication. However, I have found that:


  1. There apparently isn't a way in VS 2013 to change the type of authentication that a project uses (other than manually editing some files).

  2. There isn't any documentation yet explaining how to setup "On-Premises" authentication. (Really? How is that possible?)

  3. In any case, what I need isn't "On-Premises" authentication at all, since that is just for Windows Identity Federation services (or something like that). What I should be using instead is just Windows Authentication with ASP.Net roles, which Windows apparently gets from Active Directory groups when I login.



So, assuming that #3 is true, I tried reading numerous posts about this, but they seem to fall into two basic groups:


  1. Straightforward, simple methods, which I can't get to work, probably because it assumes some knowledge that I don't have.

  2. Complex, custom-coded methods, which I suspect are doing through code what can probably be done in a code-free method.



Assuming that #1 is the way to go, here's my most recent attempt.

In my controller, I have:

[Authorize(Roles=@"SomeDomain\\SomeGroup")]
public class SomeController : Controller


In my Web.config file, I have:

<system.web>
<authentication mode="Windows" />
<authorization>
<deny users="?" />
</authorization>
<roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider">
<providers>
<clear/>
<add name="AspNetWindowsTokenRoleProvider"
type="System.Web.Security.WindowsTokenRoleProvider"
applicationName="/" />
</providers>
</roleManager>
</system.web>
<system.serviceModel>
<behaviors>
<serviceBehaviors>
<behavior name="BehaviorConfiguration">
<serviceAuthorization
principalPermissionMode="UseAspNetRoles"
roleProviderName="AspNetWindowsTokenRoleProvider" />
<serviceMetadata />
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>


When I try to access the page, I am instead prompted to login. After entering my login ID and password, I continue to receive the login prompt. I am not allowed to get to the page.

I don't have anything anywhere telling my application where the Active Directory server is, but the impression I get is that Windows already knows that (since, when I login to Windows, it accesses the Active Directory server to authenticate me).

Am I missing something? Or am I wrong in assuming that this can be done without writing custom code?

Caveat: I'm fairly new to .NET, MVC, etc, having come from the Java world, so please use small words. :-)

Answer

I found the problem. What I had above was correct, except I had TWO backslashes between the domain name and the role name, rather than one. The fix was just changing it to this:

[Authorize(Roles=@"SomeDomain\SomeGroup")]
Comments