Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Windows Authentication with Active Directory Groups

I have a small project, built using Visual Studio 2013, .NET 4.5, MVC 5, and EF 6. I created it using Windows authentication, but now I need to check for membership in an Active Directory group to allow or deny access.

I've gone down many VERY deep rabbit holes, attempting to find out how to do this. At first I presumed that I would need to change the project to use "On-Premises" authentication. However, I have found that:

  1. There apparently isn't a way in VS 2013 to change the type of authentication that a project uses (other than manually editing some files).
  2. There isn't any documentation yet explaining how to setup "On-Premises" authentication. (Really? How is that possible?)
  3. In any case, what I need isn't "On-Premises" authentication at all, since that is just for Windows Identity Federation services (or something like that). What I should be using instead is just Windows Authentication with ASP.Net roles, which Windows apparently gets from Active Directory groups when I login.

So, assuming that #3 is true, I tried reading numerous posts about this, but they seem to fall into two basic groups:

  1. Straightforward, simple methods, which I can't get to work, probably because it assumes some knowledge that I don't have.
  2. Complex, custom-coded methods, which I suspect are doing through code what can probably be done in a code-free method.

Assuming that #1 is the way to go, here's my most recent attempt.

In my controller, I have:

[Authorize(Roles=@"SomeDomain\\SomeGroup")]
public class SomeController : Controller

In my Web.config file, I have:

  <system.web>
    <authentication mode="Windows" />
    <authorization>
      <deny users="?" />
    </authorization>
    <roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider">
      <providers>
        <clear/>
        <add name="AspNetWindowsTokenRoleProvider"
             type="System.Web.Security.WindowsTokenRoleProvider"
             applicationName="/" />
      </providers>
    </roleManager>
  </system.web>
  <system.serviceModel>
    <behaviors>
      <serviceBehaviors>
        <behavior name="BehaviorConfiguration">
          <serviceAuthorization
               principalPermissionMode="UseAspNetRoles"
               roleProviderName="AspNetWindowsTokenRoleProvider" />
          <serviceMetadata />
        </behavior>
      </serviceBehaviors>
    </behaviors>
  </system.serviceModel>

When I try to access the page, I am instead prompted to login. After entering my login ID and password, I continue to receive the login prompt. I am not allowed to get to the page.

I don't have anything anywhere telling my application where the Active Directory server is, but the impression I get is that Windows already knows that (since, when I login to Windows, it accesses the Active Directory server to authenticate me).

Am I missing something? Or am I wrong in assuming that this can be done without writing custom code?

Caveat: I'm fairly new to .NET, MVC, etc, having come from the Java world, so please use small words. :-)

like image 447
Wally Hartshorn Avatar asked Feb 11 '14 22:02

Wally Hartshorn


1 Answers

I found the problem. What I had above was correct, except I had TWO backslashes between the domain name and the role name, rather than one. The fix was just changing it to this:

[Authorize(Roles=@"SomeDomain\SomeGroup")]
like image 67
Wally Hartshorn Avatar answered Sep 20 '22 18:09

Wally Hartshorn