3

I'm using ASP.NET MVC 5 in Visual Studio 2015 with Windows authentication. Currently, the user connects to the app seamlessly -- no logon screen, by having the following in the Web.config file:

<system.web>
    <authentication mode="Windows" />
    <authorization>
      <deny users="?" />
    </authorization>
</system.web>

Then Global.asax.cs has this for authorization:

protected void Application_Start()
{
    AreaRegistration.RegisterAllAreas();
    GlobalConfiguration.Configure(WebApiConfig.Register);
    FilterConfig.RegisterGlobalFilters(GlobalFilters.Filters);
    RouteConfig.RegisterRoutes(RouteTable.Routes);
    BundleConfig.RegisterBundles(BundleTable.Bundles);

    GlobalFilters.Filters.Add(new System.Web.Mvc.AuthorizeAttribute() 
        { Roles = "Some-AD-Group, Another-AD-Group" });
}

The above filter limits those who are allowed into the app to AD groups. I'd like to use the built-in [AspNet*] tables on SQL Server to manage authorization and match a user to roles.

This example lets me create a custom authorization, but then how do I fetch the user's roles from the [AspNetUserRoles] table and where do I store that for the duration of the user's session?

Here's another example that works with roles, but not sure where it gets them. There's a lot of good information in this article as well, but nothing about tying it to Windows authentication.

Thanks for your help.

Update: The filter will be replaced with the AspNetUserRoles; that's currently just a bandage to keep folks out until we figure this piece out.

Community
  • 1
  • 1
Alex
  • 34,699
  • 13
  • 75
  • 158

2 Answers2

1

Windows authentication is a different thing, you can't tie them together.

With windows with, a network admin creates windows groups, and puts users in them.

They aren't tied to your database and can be used in another apps.

ozz
  • 5,098
  • 1
  • 50
  • 73
  • I'm using Windows for the authentication but would like to use the roles on the db for authorization at a more fine grained level. – Alex Mar 09 '17 at 21:14
  • Why can you use Windows auth but can't use Windows groups? – ozz Mar 09 '17 at 21:19
1

You'll need to write a custom Auth provider for this.

One approach might be to do something like this:

https://www.codeproject.com/Articles/5353/Custom-Authentication-provider-by-implementing-IHt

Or you might be able to take the existing WindowsAuthenticationProvider class in the framework and inherit it to "override" the role based methods.

This might be useful if you want a deeper dive with a few more options ...

https://weblogs.asp.net/jongalloway/asp-net-mvc-authentication-customizing-authentication-and-authorization-the-right-way

but the offficial docs, you may want to start from begin here ...

https://msdn.microsoft.com/en-us/library/f1kyba5e.aspx

War
  • 8,539
  • 4
  • 46
  • 98