16

I'm building a MVC4 application for internal use in a corporate enviroment. I use windows authentication, which works fine, but I'm having troubles using Active Directory groups as roles for authorization.

My Web.config looks like this:

<authentication mode="Windows" />        
<roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider">
  <providers>
    <clear />
    <add name="AspNetWindowsTokenRoleProvider" type="System.Web.Security.WindowsTokenRoleProvider" applicationName="/" />
  </providers>
</roleManager>        
<authorization>
  <deny users="?" />    
</authorization>

When I use User authorization it works fine:

[Authorize(Users = @"DOMAIN\User1, DOMAIN\User2")]
public ActionResult Create()
{
    return View();
}

But when I use roles, it just don't let users in that group to access this action:

[Authorize(Roles = @"Domain\Group")]
public ActionResult Create()
{
    return View();
}

I also tried specifying the group without the domain as I read in other replies, but no luck... I guess I'm missing something in the Web.config, but I'm not sure what...

I was avoiding to use a custom role provider because MVC4 is supposed to achieve this without a custom role provider (or at least that's what I thought)

Can anyone help me with this?

Thanks in advance!

Roberto
  • 567
  • 1
  • 3
  • 10

1 Answers1

20

I found which was the problem. After reading some info about the machine.config here I checked that I had the correct configuration applied already.

Fianlly I got it working just like this:

[Authorize(Roles = "Domain\\Group")]
public ActionResult Create()
{
    return View();
}

The problem was the way I typed the groups.

I hope this can help other people.

Roberto
  • 567
  • 1
  • 3
  • 10
  • Ah, double backslash!! I've been working on this for hours - Cheers –  Feb 28 '14 at 10:43
  • 2
    @D.Mac - Its standard C# string formatting/escaping: "Domain\\Group" or @"Domain\Group". https://msdn.microsoft.com/en-us/library/aa691090(v=vs.71).aspx – Tedd Hansen Feb 25 '15 at 12:45
  • 3
    Yes, the backlash cannot be the reason or the semantic difference, as it is only a syntactic matter – Lzh Mar 04 '15 at 07:55
  • I manage a bit different this now, using a custom role provider which overrides the WindowsTokenRoleProvider class, but the way it is used is exactly the same. I'd look for errors in the configuration of your IIS, having enabled Windows Authentication and the correct providers (usually NTLM, but it can be different in your environment). Other questions to be able to answer this would be: Is the user authenticating correctly? – Roberto Oct 13 '15 at 09:41
  • Nope this doesn't work for me either. Same exact problem. Only users seems to work. Ugh this is such a ridiculously stupid problem that nobody seems to know the answer to. – Nathan McKaskle Jan 02 '18 at 19:16
  • is the web.config entry necessary for mvc 5? – n00b Jan 10 '18 at 19:49
  • +n00b Yes, you have to specify your Role provider in web.config. – Roberto Jan 11 '18 at 20:20
  • if in crossdomain environment and whant to use current domain ommit Domain "\\Group" or @"\Group" – Ivan Temchenko Jul 16 '18 at 13:10