4

I am building a MVC3 Intranet application using the default MembershipProvider, ProfileProvider, and RoleProvider connected to a SQL Server dB. If I use Forms authentication, the roles provider populates properly. When I switch to Windows authentication, the roles provider no longer populates. This is tested by putting a breakpoint in the code and looking at "Roles.GetRolesForUser()". What I suspect is happening is that the userid that is being passed to the database is 'DOMAIN\USERID' (this is what is in User.Identity.Name), whereas what is in the database is just the userid.

Since everything is default, there is not much code to post.

<authentication mode="Windows" />
<authorization>
  <deny users="?"/>
</authorization>
  <membership defaultProvider="AspNetSqlMembershipProvider">
    <providers>
    <clear />
    <add name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider" connectionStringName="ApplicationServices" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" requiresUniqueEmail="false" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10" applicationName="/" />
  </providers>
</membership>
<profile>
  <providers>
    <clear />
    <add name="AspNetSqlProfileProvider" type="System.Web.Profile.SqlProfileProvider" connectionStringName="ApplicationServices" applicationName="/" />
  </providers>
  <properties></properties>
</profile>
  <roleManager enabled="true" defaultProvider="AspNetSqlRoleProvider" cacheRolesInCookie="true">
    <providers>
    <clear />
    <add connectionStringName="ApplicationServices" applicationName="/" name="AspNetSqlRoleProvider" type="System.Web.Security.SqlRoleProvider" />
    <add applicationName="/" name="AspNetWindowsTokenRoleProvider" type="System.Web.Security.WindowsTokenRoleProvider" />
  </providers>
</roleManager>

My first thought, is can we just remove the domain before the identity is passed to the membership provider, but User.Identity.Name is get only.

What would be the best route at correcting this, without having to change my entire database to have domain\userid instead of just userid? Can this be done without having to write a custom membership/profile/role provider?

Toby Jones
  • 353
  • 2
  • 5
  • 13
  • 1
    Here's are a similar question with a couple of links. http://stackoverflow.com/questions/2250921/mixing-forms-authentication-with-windows-authentication – Niklas Sep 17 '12 at 13:33
  • I appreaciate the post and what he did is interesting; however, I am not trying to do both forms and windows authentication, I am just trying to utilize windows authentication. – Toby Jones Sep 17 '12 at 14:30
  • Try adding the changing the username to DOMAIN\username in the table and see if it works. Username's are not the same between the two (forms vs. windows). – Steve Sloka Oct 03 '12 at 00:11

1 Answers1

1

If you just want to use Windows Authentication, then you don't want to be use the SqlRoleProvider, but instead want to use the WindowsTokenRoleProvider, which will return their AD roles. (There is no reason to use a membership provider because when using Windows Authentication you can't get to the site without being authenticated already)

If you want to use Windows Authentication, but use SqlRoles then you probably want to do something like this:

http://weblogs.asp.net/scottgu/pages/Recipe_3A00_-Implementing-Role_2D00_Based-Security-with-ASP.NET-2.0-using-Windows-Authentication-and-SQL-Server.aspx

Erik Funkenbusch
  • 92,674
  • 28
  • 195
  • 291