Geek Answers Handbook

ASP.NET Authentication + Windows Authentication for Intranet Site

I am creating an intranet site where users will be in a corporate domain and have different permission levels. I am using <authentication mode="Windows"/> to control access to the site, but it looks like I should use ASP.NET ID .

For example, let's say my application is a dashboard for each department of the organization. I want to create a single AD group called DashboardUsers and put everyone who can touch the site in this group.

I also want to limit the views in the toolbar. For example, I want the IT group to see their opinion, and finance people see them, etc.

Question Should I use Windows authentication to control access to the site, and then use the ASP.NET identifier for user permissions?

+8
c # asp.net-mvc asp.net-identity
source share
2 answers

I did something like this using only WindowsAuthentication. You can mark your actions with the Authorize attribute:

 [Authorize(Roles = @"DashboardUsers")]

As long as this user is a member of the AD DashboardUsers group, they will have access to this action. It sounds like MVC magic, but it really is that simple.

Unfortunately, this approach will not allow you to overload the action for different roles, since the authorization attribute is not part of the method signature. In your views, you will need to show different anchor tags based on the current user role.

t

 [Authorize(Roles = @"DashboardUsers\Manager")] public ActionResult IndexManagers() { .. }

or

 [Authorize(Roles = @"DashboardUsers\Finance")] public ActionResult IndexFinance() { .. }

EDIT AFTER COMMENTS: Since your authentication comes from AD, you can use the logic in your controller, for example:

 if(User.IsInRole("Finance")) { .. } else if(User.IsInRole("IT")) { .. }

And this will check which AD group they belong to. I know that this is not very elegant, but I cannot imagine how to mix Windows Auth with an individual identifier and manage permissions in your own db will be elegant too.

+3
source share

I faced this dilemma before and ended up creating a custom role provider that I used in conjunction with Windows authentication. I'm not sure if you need OWIN middleware for authentication against AD.

 public class MyAwesomeRoleProvider : RoleProvider { public override void AddUsersToRoles(string[] usernames, string[] roleNames) { // i talk to my database via entityframework in here to add a user to a role. } // override all the methods for your own role provider }

configuration file

 <system.web> <authentication mode="Windows" /> <roleManager enabled="true" defaultProvider="MyAwesomeRoleManager"> <providers> <clear /> <add name="MyAwesomeRoleManager" type="MyAwesomeNamespace.MyAwesomeRoleProvider" connectionStringName="MyAwesomeContext" applicationName="MyAwesomeApplication" /> </providers> </roleManager> </system.web>
+1
source share

More articles:


All Articles