1

I'm developing an ASP.NET MVC 5 app with .NET Framework 4.5.1 and C#.

On web.config I have added this:

<authentication mode="Windows" />
<authorization>
  <deny users="?" />
</authorization>

And set on ASP:NET MVC Visual Studio project Windows authentication enabled and disabled Anonymous authentication.

This app will be use inside an Intranet, and I am confuse because I have found this article, How To: Secure your ASP.NET MVC application and use Active Directory as the Membership Provider, and it tells that I have to use a connection string to LDAP.

Is that necessary?

Now, when I try to enter the app I have to put my domain credentials and it works fine.

I ask this because I want to secure my controllers with Active Directory Groups and, on the same blog, here: How to use Active Directory groups to restrict access to controller actions in ASP.NET MVC and make your application even more secure!, tells how to do it but I'm not sure if I need to add an LDAP connection to my app.

VansFannel
  • 45,055
  • 107
  • 359
  • 626

1 Answers1

4

You are confusing Windows authentication with Active Directory - the two do not necessarily go together. The article you have linked to describes how to connect Forms Authentication to Active Directory. For this option, you would re-enable anonymous authentication, and disable windows authentication. Your MVC code would take the username and password and authenticate these against Active Directory. The advantage of this approach is that it will work on any browser, and from a computer not on Active Directory. It is simply using AD credentials, rather than Windows Authentication.

In Windows Authentication, the browser takes care of authenticating you with the current domain. Your MVC app will never see a password, and does not need to handle this information. With this approach, you may be limited by browser choice, and it definitely won't work from a computer not connected to your Active Directory. This answer describes an approach to using AD Groups with Windows Auth.

The main bit you still need to do is to enable the Windows role manager component, using the following in web.config:

<roleManager enabled="true" defaultProvider="WindowsProvider">
    <providers>
        <clear />
        <add name="WindowsProvider" type="System.Web.Security.WindowsTokenRoleProvider" />
    </providers>
</roleManager>

You should then be able to use the normal group membership checks, such as:

[Authorize(Roles = @"AD\GroupName")]

Or 

if (User.IsInRole(@"AD\GroupName")) { ... }
Community
  • 1
  • 1
Richard
  • 29,854
  • 11
  • 77
  • 120