locked
Using Roles and Users together with [Authorize] attribute not working RRS feed

  • Question

  • User882828011 posted
    I was asked to create an MVC application where i will have different authorizations for different AD groups and different users. For example some of the controllers that can only accessed by some AD groups (ADMIN and SuperUser). Some other controller canbe access by anyone with windows credential. So in my web.confi I have inmy web.config which allow non anonymous users to access most of my controllers. For controllers i wanted to restricted access to Admin and Superuser groups i decorated each of the Controller like this: [Authorize(Roles = "ADMIN, SuperUsers"]. Everything seem to work correctly but now I would like to add a few users who are not part of the ADMIN or SuperUser tohave access to the same controllers that ADMIN and SuperUsers have accessed to so decorated the controller like this [Authorize(Roles = "ADMIN, SuperUsers", Users = 'user1, user2"]. Here is where it is not working and the user1 or user2 got 401 error when trying to access those restricted controllers. So my questions is what did i dowrong? Thank you in advance. keep in mind these are AD (active directory) users and groups.
    Wednesday, August 12, 2020 1:11 PM

All replies

  • User882828011 posted
    This what I tried: -- this works since myaccount is me [Authorize(Users = "mydomain\\myaccount")] --- This does not work because i am not in any of those groups which is understandable [Authorize(Roles = "mydomain\\ADMIN, mydomain\\SuperUsers")] -- This should have work but it did not and I don't know why? [Authorize(Roles = "mydomain\\ADMIN, mydomain\\SuperUsers", Users = "mydomain\\myaccount")] Can some experts tell me why the third scenario did not work.
    Wednesday, August 12, 2020 2:41 PM
  • User882828011 posted
    Anyone? any suggestions?
    Wednesday, August 12, 2020 4:14 PM
  • User882828011 posted
    Implemented a custom role provider for Active Directory did not help and I don't think I need it. I think I didn't explained my issue clearly so let me try again. If I have these in my web.config then the site worked correctly everything available to the defined roles and users, I have access to the site because me (myaccount) listed as a user. If i remove me (delete this entry: <allow users="mydomain\myaccount"/>) then I got 401 access denied error. So everything is good but there are controllers in my site that are not available to ADMIN, SuperUsers group and 5 additional Users, who are not in ADMIN and SuperUsers groups, and i am one of those users. <authentication mode="Windows" /> <authorization> <allow roles="mydomain\ADMIN"/> <allow roles="mydomain\SuperUsers"/> <allow users="mydomain\myaccount"/> <deny users="*"/> </authorization> So I changed my web.config to look like below <authorization> <deny users="?" /> </authorization> And decorated the controllers that only available for ADMIN, SuperUsers groups and 5 additional users like below and I would expect the DataAssignment would be available to me but instead I got 401 error and this is my problem that I don't know why. ONLY the Users that are not seem to work and [Authorize(Roles = "mydomain\\ADMIN, mydomain\\SuperUsers", Users="mydomain\\myaccount, mydomain\\user, mydomain\\user2, mydomain\\user3, mydomain\\user4")] public class DataAssignmentController : Controller { } I am in the hot seat to have this problem fixed but i can seem to explained why and what fix is? Much appreciated.
    Thursday, August 13, 2020 5:11 PM