Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

ASP.NET Identity + Windows Authentication for Intranet Site

I am building an intranet site where users will be on the corporate domain and have different permission levels. I'm currently using <authentication mode="Windows"/> to control site access, but it seems like I should be using ASP.NET Identity.

For example, say my application is a dashboard for each department in the organization. I want to create a single AD group called DashboardUsers and put everyone that can touch the site in this group.

I also want to restrict the views in the dashboard. For example, I only want the IT group to see their view, and the Finance folks see theirs, etc.

Question -- should I be using Windows Authentication to control access to the site, and then use ASP.NET Identity for user level permissions?

like image 751
syllogistic Avatar asked Apr 25 '14 17:04

syllogistic


2 Answers

I have done something similar to this using only WindowsAuthentication. You can tag your actions with the Authorize Attribute:

[Authorize(Roles = @"DashboardUsers")]

As long is this user is a member of the DashboardUsers AD group they will get access to this action. It seems like MVC magic, but it really is that simple.

Unfortunately this approach will not allow you to overload an action for different Roles as the Authorize Attribute is not part of the method's signature. In your views, you would have to show different anchor tags based on the current users role.

ie:

[Authorize(Roles = @"DashboardUsers\Manager")]
public ActionResult IndexManagers()
{
..
}

or

[Authorize(Roles = @"DashboardUsers\Finance")]
public ActionResult IndexFinance()
{
..
}

EDIT AFTER COMMENT: Since your Identity is coming from AD, you could use logic in your controller like:

if(User.IsInRole("Finance"))
{
..
}
else if(User.IsInRole("IT"))
{
..
}

And this will check which AD Group they belong too. I know it's not very elegant, but I can't imagine mixing Windows Auth with a custom identity and managing permissions in your own db would be elegant either.

like image 50
mambrow Avatar answered Oct 06 '22 12:10

mambrow


I have run into this dilemma before and wound up creating a custom role provider that i used in conjunction with windows authentication. I'm not sure you need the OWIN middleware when authenticating against AD.

public class MyAwesomeRoleProvider : RoleProvider
{
    public override void AddUsersToRoles(string[] usernames, string[] roleNames)
    {
        // i talk to my database via entityframework in here to add a user to a role.
    }

    // override all the methods for your own role provider
}

config file

<system.web>
    <authentication mode="Windows" />
    <roleManager enabled="true" defaultProvider="MyAwesomeRoleManager">
      <providers>
        <clear />
        <add name="MyAwesomeRoleManager" type="MyAwesomeNamespace.MyAwesomeRoleProvider" connectionStringName="MyAwesomeContext" applicationName="MyAwesomeApplication" />
      </providers>
    </roleManager>
</system.web>
like image 29
Michael Avatar answered Oct 06 '22 12:10

Michael