In this ASP.NET MVC 3 intranet application (created using MVC 3 Intranet Application template), where users are authenticated automatically against AD, I'm trying to restrict access to a controller to users in the local Administrators group. In order to achieve this, I've tried to apply AuthorizeAttribute like so:
[Authorize(Roles = "Administrators")]
public class ElmahController : Controller
However, even though my AD user (the application reports the expected user has been authenticated) is in the local Administrators group, I cannot gain access to the controller when AuthorizeAttribute is applied. Only a blank page comes up. What am I doing wrong?
On the other hand, I've verified that specifying my particular user works:
[Authorize(Users = @"ad\arve")]
public class ElmahController : Controller
In this case, I can retrieve the restricted page successfully.
EDIT:
I found that qualifying the group with BUILTIN worked:
[Authorize(Roles = @"BUILTIN\Administrators")]
Is this the definitive way of referring to local groups via AuthorizeAttribute though??
Follow my tutorial How to Create an Intranet Site Using ASP.NET MVC You need to use the built-in AspNetWindowsTokenRoleProvider class , which uses Windows groups as roles
[Authorize(Roles = @"BUILTIN\Administrators")]
Will only work if you are an admin on the IIS server. If you deploy your application to a production server for your company, you will need to be made a local admin on the production server.
You can a custom AD authorization attribute to place above each action or controller. I have done this before and did something very similar to the link below. This works if you are using forms authentication and not windows.
来源:https://stackoverflow.com/questions/8645846/how-do-i-make-authorizeattribute-work-with-local-administrators-group-in-asp-net