12
votes

I have a small project, built using Visual Studio 2013, .NET 4.5, MVC 5, and EF 6. I created it using Windows authentication, but now I need to check for membership in an Active Directory group to allow or deny access.

I've gone down many VERY deep rabbit holes, attempting to find out how to do this. At first I presumed that I would need to change the project to use "On-Premises" authentication. However, I have found that:

  1. There apparently isn't a way in VS 2013 to change the type of authentication that a project uses (other than manually editing some files).
  2. There isn't any documentation yet explaining how to setup "On-Premises" authentication. (Really? How is that possible?)
  3. In any case, what I need isn't "On-Premises" authentication at all, since that is just for Windows Identity Federation services (or something like that). What I should be using instead is just Windows Authentication with ASP.Net roles, which Windows apparently gets from Active Directory groups when I login.

So, assuming that #3 is true, I tried reading numerous posts about this, but they seem to fall into two basic groups:

  1. Straightforward, simple methods, which I can't get to work, probably because it assumes some knowledge that I don't have.
  2. Complex, custom-coded methods, which I suspect are doing through code what can probably be done in a code-free method.

Assuming that #1 is the way to go, here's my most recent attempt.

In my controller, I have:

[Authorize(Roles=@"SomeDomain\\SomeGroup")]
public class SomeController : Controller

In my Web.config file, I have:

  <system.web>
    <authentication mode="Windows" />
    <authorization>
      <deny users="?" />
    </authorization>
    <roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider">
      <providers>
        <clear/>
        <add name="AspNetWindowsTokenRoleProvider"
             type="System.Web.Security.WindowsTokenRoleProvider"
             applicationName="/" />
      </providers>
    </roleManager>
  </system.web>
  <system.serviceModel>
    <behaviors>
      <serviceBehaviors>
        <behavior name="BehaviorConfiguration">
          <serviceAuthorization
               principalPermissionMode="UseAspNetRoles"
               roleProviderName="AspNetWindowsTokenRoleProvider" />
          <serviceMetadata />
        </behavior>
      </serviceBehaviors>
    </behaviors>
  </system.serviceModel>

When I try to access the page, I am instead prompted to login. After entering my login ID and password, I continue to receive the login prompt. I am not allowed to get to the page.

I don't have anything anywhere telling my application where the Active Directory server is, but the impression I get is that Windows already knows that (since, when I login to Windows, it accesses the Active Directory server to authenticate me).

Am I missing something? Or am I wrong in assuming that this can be done without writing custom code?

Caveat: I'm fairly new to .NET, MVC, etc, having come from the Java world, so please use small words. :-)

2
You should check this question out. It's probably for an earlier version of mvc, but Windows Authentication hasn't changed in awhile. stackoverflow.com/questions/13767439/…James Sampica
I had looked at that post earlier, and based much of what I was trying on it, but it wasn't working. I just now figured out what I had done wrong, however. In the attribute in my controller, I had 2 backslashes between the name of the domain and the name of the role, rather than one. So I had: [Authorize(Roles=@"SomeDomain\\SomeGroup")] instead of [Authorize(Roles=@"SomeDomain\SomeGroup")] Doh!Wally Hartshorn

2 Answers

10
votes

I found the problem. What I had above was correct, except I had TWO backslashes between the domain name and the role name, rather than one. The fix was just changing it to this:

[Authorize(Roles=@"SomeDomain\SomeGroup")]
0
votes

You can also make this a filter in RegisterGlobalFilters in the App_Start folder.

 public class FilterConfig
{
    public static void RegisterGlobalFilters(GlobalFilterCollection filters)
    {
        if (filters == null)
        {
            throw new ArgumentNullException("filters");
        }

        filters.Add(new HandleErrorAttribute());

        var authorizeAttribute = new AuthorizeAttribute
        {
            Roles = "Domain\Group" // Role = group in Active Directory
        };

        filters.Add(authorizeAttribute);
    }
}