Authorization using active directory role provider MVC4

Roberto picture Roberto · Dec 20, 2013 · Viewed 19.4k times · Source

I'm building a MVC4 application for internal use in a corporate enviroment. I use windows authentication, which works fine, but I'm having troubles using Active Directory groups as roles for authorization.

My Web.config looks like this:

<authentication mode="Windows" />        
<roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider">
  <providers>
    <clear />
    <add name="AspNetWindowsTokenRoleProvider" type="System.Web.Security.WindowsTokenRoleProvider" applicationName="/" />
  </providers>
</roleManager>        
<authorization>
  <deny users="?" />    
</authorization>

When I use User authorization it works fine:

[Authorize(Users = @"DOMAIN\User1, DOMAIN\User2")]
public ActionResult Create()
{
    return View();
}

But when I use roles, it just don't let users in that group to access this action:

[Authorize(Roles = @"Domain\Group")]
public ActionResult Create()
{
    return View();
}

I also tried specifying the group without the domain as I read in other replies, but no luck... I guess I'm missing something in the Web.config, but I'm not sure what...

I was avoiding to use a custom role provider because MVC4 is supposed to achieve this without a custom role provider (or at least that's what I thought)

Can anyone help me with this?

Thanks in advance!

Answer

Roberto picture Roberto · Jan 9, 2014

I found which was the problem. After reading some info about the machine.config here I checked that I had the correct configuration applied already.

Fianlly I got it working just like this:

[Authorize(Roles = "Domain\\Group")]
public ActionResult Create()
{
    return View();
}

The problem was the way I typed the groups.

I hope this can help other people.