MVC5 Katana (OWIN) and Windows (NOT Azure) Cannot Use IsInRole or Authorize Attribute for Active Directory Groups RRS feed

  • Question

  • User1566891176 posted

    I have a MVC5 based project for which my users can log in using forms authentication, but may also log in through a Windows account using a Windows login handler under Katana (OWIN).  

    All components are the latest (OWIN -pre 3.0.0 alpha2).  The mixed authentication portion works fine.  But I cannot seem to get authorization based on AD groups to work.  So, specifically, where in the IIS or OWIN pipeline should I grab the AD attributes and apply them as roles and/or claims--or is this even possible?  At this time the Roles object is empty and the Claims only have the generic identity and provider claims that you'd expect.

    So, in short--I want to be able to assert Windows Active Directory roles (from an intranet perspective) on a user within a mixed-authentication environment. 


    Was able to get claims, as type groupsid, to come across if I enable authentication mode = "Windows" and set a property in the Application_Start for 

    AntiForgeryConfig.UniqueClaimTypeIdentifier = ClaimTypes.WindowsAccountName;

    The downside is that I get the nagging "Authentication Required" dialog that keeps popping up regardless of the credentials, but seems to populate the Windows Identity and roles anyway (in Chrome at least--IE seems to lose it on page refresh)...

    Thanks in advance!



    Thursday, March 6, 2014 4:33 PM