Posted by: Terry Nederveld | January 12, 2010

Question: ASP.NET Window Authentication Mode

Windows authentication mode in ASP.NET used the Active Directory “Group name (pre-Windows 2000)” and I don’t understand why. Here is the background. I had an .NET MVC v1.0 project that I was trying to secure it by using Windows authentication mode. So I set the web.config to:

<authentication mode="Windows" />

And then went into my controller and did the following:

[Authorize(Roles="IT")]
public class LicenseController : Controller

In AD we have a group called “IT” and I am many others are apart of this group. Once I had this in place I started a debug session and tried going to any of the actions in that controller and I was met with a 401. I search high and low looking for somewhere that I had screwed the pooch and couldn’t find anything wrong. After a while of struggling I decided to try changing the “Authorize” to a specific user an see if that worked. So I changed it to the following:

[Authorize(Users="domain\tnederveld")]

And low and behold that worked. So I went and added a different group that I was a member of and took out the users authorize statement and that worked. I started looking into the differences between the two AD groups and the only thing that was different was on the second group I tried the “Group name (pre-Windows 2000):” were the same. The “IT” groups “Group name (pre-Windows 2000):” was “IT Associates”. So I tried changing the authorize statement to:

[Authorize(Roles="IT Associates")]

And it started working. I thought for sure this was an MVC issue, so to make sure I tried it on a regular Web Forms project and was meet with the same issue.

The real kicker is that when you use the UserPrincipal that is part of the System.DirectoryServices.AccountManagement it returns the group “IT” when using the .GetGroups() method.

Anyone know why this is happening? Along with posting it on my blog I have also posted this on StackOverflow (http://bit.ly/7UnDkU).

Advertisements

Responses

  1. Someone has answered my question on StackOverflow and the explanation was great.

    http://stackoverflow.com/questions/2049341/windows-authentication-mode-in-asp-net-uses-the-active-directory-group-name-pre/2049929#2049929


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

%d bloggers like this: