Windows Group Authentication and MVC 4/5/Web API problems

I'm working in a Windows environment, where I want to authenticate users using a Windows Security Group. For example, foo\mstum is in the group foo\users and I want to tell to only allow users in foo\users to access the site.

This is usually simple, just add this in <system.web>:

    <allow roles="foo\users" />
    <deny users="*" />

Now, there are two problems with this when using a modern (that is, MVC 4 or 5 or Web API) application: It doesn't work.

Why? Because by default, Simple Membership is enabled, and this doesn't support Windows Groups at all - you can check the source code for WebMatrix.WebData.SimpleRoleProvider.

The solution is to add an appSetting that disables Simple Membership:

    <add key="enableSimpleMembership" value="false"/>

Now is back to the previous behavior of using the System.Web.Security.WindowsTokenRoleProvider which does support Windows Groups.

There is a second gotcha though: It seems that the WindowsTokenRoleProvider does not support Universal Security Groups. In my tests, only Global or Domain Local security groups showed up when calling GetRolesForUser. I have not found out why that is and if there is a way to have it support Universal Security Groups. Do note that Distribution Groups ("Mailing Lists") are not supported in any case.