Authorize user based on active directory group RRS feed

  • Question

  • I am developing WCF service to expose SQL Server data and I have followed this blog - http://www.toplinestrategies.com/blogs/net/expose-sql-server-data-odata-endpoint-wcf-data-services 

    Everything works as expected. Now I have to secure the web service by authorization based on AD group. Users belonging to specific Active directory groups should be able to consume the service, otherwise user should get access denied.

    One way I see to do this is to enable Windows Auth (HTTP 401 Challenge)  and directly assigning permission for the active directory group to the web service folder in inetpub. But I believe this is not the correct approach? In WCF, should we not secure service calls rather file or folders? Also, we would like to have the names of the active directory groups(who should have access) configurable easily (web.config?) 

    Please point me towards the correct direction to achieve this. Examples or code snippets would be a huge help! Appreciate your time and help, Ty

    • Edited by Sampad Alam Tuesday, January 31, 2017 9:59 PM
    Tuesday, January 31, 2017 9:58 PM


  • I implemented this using web.config file. Posting the answer if it helps someone.

    In the web.config file under <system.web> node, we can maintain the AD groups who should have <authorization> by defining <allow> and <deny> nodes. Syntax below

        <compilation debug="true" targetFramework="4.5.2" />
        <httpRuntime targetFramework="4.5.2" />
        <!--Authorize Users-->
          <allow roles="Domain\NameOfTheGroup"/>
          <deny users="*"></deny>

    Here .NET runtime will deny all other users except who are present in the AD group which is updated in <Allow> 

    • Marked as answer by Sampad Alam Wednesday, March 8, 2017 8:26 PM
    Wednesday, March 8, 2017 8:26 PM