I cannot seem to get authorization to work with windows authentication. RRS feed

  • Question

  • User178136826 posted

     I have an asp.net mvc application that I have created with VS 2013 express. I have deployed the application in IIS using windows authentication on a windows domain. I have tried using the authorization attribute on actions in my controller as in the example. Regardless of whether a user is in the supervisors group on the Dispatch domain or not they have access to this method. I have read several articles on this but I can't make it work.

    [Authorize(Roles = "@Dispatch\Supervisors")]

    public ActionResult RequestsHome()


               return View();


    Tuesday, February 10, 2015 3:12 PM


All replies

  • User1779161005 posted

    Are you also using WebAPI in your project? Make sure this is the MVC [Authorize] and not the Web API [Authorize] -- you can tell by the different namespace it comes from.

    Tuesday, February 10, 2015 3:14 PM
  • User178136826 posted

    I am not sure. I went to New Project>ASP.NET Web Application>MVC>ChangeAuthentication>WIndows Authentication.

    Tuesday, February 10, 2015 3:27 PM
  • User-1454326058 posted


    The value of Role should be @”Dispatch\Supervisors” instead of “@Dispatch\Supervisors”.

    There are some links that may benefit you:

    # Authenticating Users with Windows Authentication (C#)


    # AuthorizationAttribute with Windows Authentication in MVC




    Wednesday, February 11, 2015 2:49 AM
  • User178136826 posted

    Thanks for your reply. Actually I made a typo when I made this post. When I checked my code, it was correct. The first link you suggested I had already visited but I went through it anyway. Interesting item, they do not use the @ in the authorize attribute. I tried changing my code to match theirs but it still lets everyone in. The second link may be a little advanced for me as I have only been using MVC for about 1.5 months. I will attempt it though but it seems like a lot of work for something that should just work from all of the articles I have read.. 

     In the article James mentions adding a class designing the system role constant. It is unclear to me where this class needs to be created.

     I also had the idea of creating another controller just for this one application where I need to restrict access and use NTFS permissions. So I did some testing and started removing the users listed on the NTFS security tab. Must work differently than I thought it did because I have removed everyone from the list and everyone can still access the controller.

    Thanks again for your help! 

    Wednesday, February 11, 2015 9:30 AM
  • User-1454326058 posted


    The second article is used to custom authentication with special requirement.

    Please check the current user’s role in the action.

    # Roles.GetRolesForUser Method




    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, February 11, 2015 10:05 PM