asp.net mvc - using windows authentication with active directory groups as roles

Question

I've read several questions on this topic, such as here, here, here and here; but none have provided a working solution in my case.

What I want to do:

Implement Windows authentication for a web app that is only used by our own employees. This way they should not need to log into the app, but already be authenticated by way of having logged into windows.

Also, I need to restrict certain areas of the app, based on Active Directory Security Groups that the user may be assigned to.

So I want to be able to decorate Controllers / Actions with

[Authorize(Roles="SomeRole")]

What I've tried:

I have

<authentication mode="Windows" />

in my web.config. And I have added several permutations of a <roleManager> as found in some of the posts linked to above. Currently I have this role manager

<roleManager defaultProvider="WindowsProvider"
  enabled="true"
  cacheRolesInCookie="false">
      <providers>
        <add
          name="WindowsProvider"
          type="System.Web.Security.WindowsTokenRoleProvider" />
      </providers>
    </roleManager>

as found in this post.

As it is, if I decorate a controller with [Authorize], I can access it fine.

However:

I can see in my user settings on the network, that I am part of a AD security group called "IT". But if I decorate the same controller with [Authorize(Roles="IT")] I get the blank screen that is is served by the asp.net development server for a 401 not authorized. This is unexpected. I would think that I should be able to view the page as I am logged in to windows and am part of the group "IT".

Most everything I am finding on this topic make it sound very simple to accomplish what I'm trying to do, but I am clearly missing something here.

Answer 1

For dev I am using IISExpress with development server properties of the MVC project set up so that Anonymous Authentication is Disabled and Windows Authentication is Enabled. The web config is deployed using our TFS build server to test and release servers for which authentication is also setup as above and works in those locations as well.

In my web.config I have.

  <system.web> 
....
       <authentication mode="Windows" />
        <authorization>
          <deny users="?" />
        </authorization>
        <roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider">
          <providers>
            <clear />
            <add name="AspNetWindowsTokenRoleProvider" type="System.Web.Security.WindowsTokenRoleProvider" applicationName="/" />
          </providers>
        </roleManager>
....

    </system.web>

I can use

[Authorize(Roles = @"DOMAINADGroup")]
Public ActionResult Index()
{...}

or

 public ActionResult Index()
        {
            var User = System.Web.HttpContext.Current.User;
            if (User.IsInRole("DOMAIN\ADGroup"))
            {
                return RedirectToAction("IRSAdmin");
            }
            return View();
        }

After i remember to logoff and log back in so the permission i was given to the AD group were applied.