I have a small project, built using Visual Studio 2013, .NET 4.5, MVC 5, and EF 6. I created it using Windows authentication, but now I need to check for membership in an Active Directory group to allow or deny access.
I've gone down many VERY deep rabbit holes, attempting to find out how to do this. At first I presumed that I would need to change the project to use "On-Premises" authentication. However, I have found that:
So, assuming that #3 is true, I tried reading numerous posts about this, but they seem to fall into two basic groups:
Assuming that #1 is the way to go, here's my most recent attempt.
In my controller, I have:
[Authorize(Roles=@"SomeDomain\\SomeGroup")]
public class SomeController : Controller
In my Web.config file, I have:
<system.web>
<authentication mode="Windows" />
<authorization>
<deny users="?" />
</authorization>
<roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider">
<providers>
<clear/>
<add name="AspNetWindowsTokenRoleProvider"
type="System.Web.Security.WindowsTokenRoleProvider"
applicationName="/" />
</providers>
</roleManager>
</system.web>
<system.serviceModel>
<behaviors>
<serviceBehaviors>
<behavior name="BehaviorConfiguration">
<serviceAuthorization
principalPermissionMode="UseAspNetRoles"
roleProviderName="AspNetWindowsTokenRoleProvider" />
<serviceMetadata />
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
When I try to access the page, I am instead prompted to login. After entering my login ID and password, I continue to receive the login prompt. I am not allowed to get to the page.
I don't have anything anywhere telling my application where the Active Directory server is, but the impression I get is that Windows already knows that (since, when I login to Windows, it accesses the Active Directory server to authenticate me).
Am I missing something? Or am I wrong in assuming that this can be done without writing custom code?
Caveat: I'm fairly new to .NET, MVC, etc, having come from the Java world, so please use small words. :-)
I found the problem. What I had above was correct, except I had TWO backslashes between the domain name and the role name, rather than one. The fix was just changing it to this:
[Authorize(Roles=@"SomeDomain\SomeGroup")]
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With