locked
I cannot seem to get authorization to work with windows authentication. RRS feed

  • Question

  • User178136826 posted

     I have an asp.net mvc application that I have created with VS 2013 express. I have deployed the application in IIS using windows authentication on a windows domain. I have tried using the authorization attribute on actions in my controller as in the example. Regardless of whether a user is in the supervisors group on the Dispatch domain or not they have access to this method. I have read several articles on this but I can't make it work.

    [Authorize(Roles = "@Dispatch\Supervisors")]

    public ActionResult RequestsHome()

            {

               return View();

            }

    Tuesday, February 10, 2015 3:12 PM

Answers

All replies

  • User1779161005 posted

    Are you also using WebAPI in your project? Make sure this is the MVC [Authorize] and not the Web API [Authorize] -- you can tell by the different namespace it comes from.

    Tuesday, February 10, 2015 3:14 PM
  • User178136826 posted

    I am not sure. I went to New Project>ASP.NET Web Application>MVC>ChangeAuthentication>WIndows Authentication.

    Tuesday, February 10, 2015 3:27 PM
  • User-1454326058 posted

    Hi,

    The value of Role should be @”Dispatch\Supervisors” instead of “@Dispatch\Supervisors”.

    There are some links that may benefit you:

    # Authenticating Users with Windows Authentication (C#)

    http://www.asp.net/mvc/overview/older-versions-1/security/authenticating-users-with-windows-authentication-cs

    # AuthorizationAttribute with Windows Authentication in MVC

    http://www.squarewidget.com/authorizationattribute-with-windows-authentication-in-mvc-4

    Regards

    Starain

    Wednesday, February 11, 2015 2:49 AM
  • User178136826 posted

    Thanks for your reply. Actually I made a typo when I made this post. When I checked my code, it was correct. The first link you suggested I had already visited but I went through it anyway. Interesting item, they do not use the @ in the authorize attribute. I tried changing my code to match theirs but it still lets everyone in. The second link may be a little advanced for me as I have only been using MVC for about 1.5 months. I will attempt it though but it seems like a lot of work for something that should just work from all of the articles I have read.. 

     In the article James mentions adding a class designing the system role constant. It is unclear to me where this class needs to be created.

     I also had the idea of creating another controller just for this one application where I need to restrict access and use NTFS permissions. So I did some testing and started removing the users listed on the NTFS security tab. Must work differently than I thought it did because I have removed everyone from the list and everyone can still access the controller.

    Thanks again for your help! 

    Wednesday, February 11, 2015 9:30 AM
  • User-1454326058 posted

    Hi,

    The second article is used to custom authentication with special requirement.

    Please check the current user’s role in the action.

    # Roles.GetRolesForUser Method

    https://msdn.microsoft.com/en-us/library/system.web.security.roles.getrolesforuser(v=vs.110).aspx

    Regards

    Starain

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, February 11, 2015 10:05 PM