I’m working in a Windows environment, where I want to authenticate users using a Windows Security Group. For example,
foo\mstum is in the group
foo\users and I want to tell ASP.net to only allow users in
foo\users to access the site.
This is usually simple, just add this in
<authorization> <allow roles="foo\users" /> <deny users="*" /> </authorization>
Now, there are two problems with this when using a modern (that is, ASP.net MVC 4 or 5 or Web API) application: It doesn’t work.
The solution is to add an
appSetting that disables Simple Membership:
<appSettings> <add key="enableSimpleMembership" value="false"/> </appSettings>
Now ASP.net is back to the previous behavior of using the System.Web.Security.WindowsTokenRoleProvider which does support Windows Groups.
There is a second gotcha though: It seems that the WindowsTokenRoleProvider does not support Universal Security Groups. In my tests, only Global or Domain Local security groups showed up when calling GetRolesForUser. I have not found out why that is and if there is a way to have it support Universal Security Groups. Do note that Distribution Groups (“Mailing Lists”) are not supported in any case.