Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

using windows authentication with active directory groups as roles

I've read several questions on this topic, such as here, here, here and here; but none have provided a working solution in my case.

What I want to do:

Implement Windows authentication for a web app that is only used by our own employees. This way they should not need to log into the app, but already be authenticated by way of having logged into windows.

Also, I need to restrict certain areas of the app, based on Active Directory Security Groups that the user may be assigned to.

So I want to be able to decorate Controllers / Actions with

[Authorize(Roles="SomeRole")] 

What I've tried:

I have

<authentication mode="Windows" /> 

in my web.config. And I have added several permutations of a <roleManager> as found in some of the posts linked to above. Currently I have this role manager

<roleManager defaultProvider="WindowsProvider"   enabled="true"   cacheRolesInCookie="false">       <providers>         <add           name="WindowsProvider"           type="System.Web.Security.WindowsTokenRoleProvider" />       </providers>     </roleManager> 

as found in this post.

As it is, if I decorate a controller with [Authorize], I can access it fine.

However:

I can see in my user settings on the network, that I am part of a AD security group called "IT". But if I decorate the same controller with [Authorize(Roles="IT")] I get the blank screen that is is served by the asp.net development server for a 401 not authorized. This is unexpected. I would think that I should be able to view the page as I am logged in to windows and am part of the group "IT".

Most everything I am finding on this topic make it sound very simple to accomplish what I'm trying to do, but I am clearly missing something here.

like image 885
Forty-Two Avatar asked Dec 07 '12 16:12

Forty-Two


People also ask

Does Windows authentication use Active Directory?

Is Windows Authentication the same as Active Directory? No. You can use Windows Authentication even if your server is not a member of an Active Directory domain.

Which authentication service options work with Active Directory?

AD supports multiple protocols through which authentication of the organization's users can be done. The two main of these are Kerberos and LDAP. Kerberos: It is a network layer security protocol used to authenticate trusted devices across a network.

Is Windows authentication the same as SSO?

Windows authentication with SSO works the same way as Windows Authentication managed by IIS with respect to security zones. However, there are some differences. The SSO server will authenticate the user once.

How does authentication work in Active Directory?

Here's how the authentication process goes:The client requests an authentication ticket from the AD server. The AD server returns the ticket to the client. The client sends this ticket to the Endpoint Server. The Server then returns an acknowledgment of authentication to the client.


1 Answers

For dev I am using IISExpress with development server properties of the MVC project set up so that Anonymous Authentication is Disabled and Windows Authentication is Enabled. The web config is deployed using our TFS build server to test and release servers for which authentication is also setup as above and works in those locations as well.

In my web.config I have.

  <system.web>  ....        <authentication mode="Windows" />         <authorization>           <deny users="?" />         </authorization>         <roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider">           <providers>             <clear />             <add name="AspNetWindowsTokenRoleProvider" type="System.Web.Security.WindowsTokenRoleProvider" applicationName="/" />           </providers>         </roleManager> ....      </system.web> 

I can use

[Authorize(Roles = @"DOMAIN\ADGroup")] Public ActionResult Index() {...} 

or

 public ActionResult Index()         {             var User = System.Web.HttpContext.Current.User;             if (User.IsInRole("DOMAIN\\ADGroup"))             {                 return RedirectToAction("IRSAdmin");             }             return View();         } 

After i remember to logoff and log back in so the permission i was given to the AD group were applied.

like image 112
ozhug Avatar answered Oct 24 '22 04:10

ozhug