I cannot seem to get authorization to work with windows authentication.

Question

User178136826 posted

 I have an asp.net mvc application that I have created with VS 2013 express. I have deployed the application in IIS using windows authentication on a windows domain. I have tried using the authorization attribute on actions in my controller as in the example. Regardless of whether a user is in the supervisors group on the Dispatch domain or not they have access to this method. I have read several articles on this but I can't make it work.

[Authorize(Roles = "@Dispatch\Supervisors")]

public ActionResult RequestsHome()

        {

           return View();

        }

Answer 1

User1779161005 posted

Are you also using WebAPI in your project? Make sure this is the MVC [Authorize] and not the Web API [Authorize] -- you can tell by the different namespace it comes from.

Answer 2

User178136826 posted

I am not sure. I went to New Project>ASP.NET Web Application>MVC>ChangeAuthentication>WIndows Authentication.

Answer 3

User-1454326058 posted

Hi,

The value of Role should be @”Dispatch\Supervisors” instead of “@Dispatch\Supervisors”.

There are some links that may benefit you:

# Authenticating Users with Windows Authentication (C#)

http://www.asp.net/mvc/overview/older-versions-1/security/authenticating-users-with-windows-authentication-cs

# AuthorizationAttribute with Windows Authentication in MVC

http://www.squarewidget.com/authorizationattribute-with-windows-authentication-in-mvc-4

Regards

Starain

Answer 4

User178136826 posted

Thanks for your reply. Actually I made a typo when I made this post. When I checked my code, it was correct. The first link you suggested I had already visited but I went through it anyway. Interesting item, they do not use the @ in the authorize attribute. I tried changing my code to match theirs but it still lets everyone in. The second link may be a little advanced for me as I have only been using MVC for about 1.5 months. I will attempt it though but it seems like a lot of work for something that should just work from all of the articles I have read.. 

 In the article James mentions adding a class designing the system role constant. It is unclear to me where this class needs to be created.

 I also had the idea of creating another controller just for this one application where I need to restrict access and use NTFS permissions. So I did some testing and started removing the users listed on the NTFS security tab. Must work differently than I thought it did because I have removed everyone from the list and everyone can still access the controller.

Thanks again for your help! 

Answer 5

User-1454326058 posted

Hi,

The second article is used to custom authentication with special requirement.

Please check the current user’s role in the action.

# Roles.GetRolesForUser Method

https://msdn.microsoft.com/en-us/library/system.web.security.roles.getrolesforuser(v=vs.110).aspx

Regards

Starain