Windows Group Authentication and ASP.net MVC 4/5/Web API problems
I'm working in a Windows environment, where I want to authenticate users using a Windows Security Group. For example, foo\mstum
is in the group foo\users
and I want to tell ASP.net to only allow users in foo\users
to access the site.
This is usually simple, just add this in <system.web>
:
<authorization>
<allow roles="foo\users" />
<deny users="*" />
</authorization>
Now, there are two problems with this when using a modern (that is, ASP.net MVC 4 or 5 or Web API) application: It doesn't work.
Why? Because by default, Simple Membership
is enabled, and this doesn't support Windows Groups at all - you can check the source code for WebMatrix.WebData.SimpleRoleProvider.
The solution is to add an appSetting
that disables Simple Membership:
<appSettings>
<add key="enableSimpleMembership" value="false"/>
</appSettings>
Now ASP.net is back to the previous behavior of using the System.Web.Security.WindowsTokenRoleProvider which does support Windows Groups.
There is a second gotcha though: It seems that the WindowsTokenRoleProvider does not support Universal Security Groups. In my tests, only Global or Domain Local security groups showed up when calling GetRolesForUser. I have not found out why that is and if there is a way to have it support Universal Security Groups. Do note that Distribution Groups ("Mailing Lists") are not supported in any case.