So you have your users and roles setup in Active Directory and you want to leverage them for authorization and roles in your ASP.NET web application? Look no further!

Considering how easy this is, it took me a day to figure this out. There are so many configurations floating around the web when you google for “active directory” and “asp.net” it’s easy to end up doing something super complicated.

The main magic is done by adding the following to web.config under the section system.web:

<authentication mode="Windows" />
<roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider" />

As a basic level, it really is that simple. As long your on the domain, you can now authorize against users and roles from your Active Directory setup.

Going a step further, you’ll probably want to check for roles. At a high level, you could ensure everyone accessing the application must be in particular role (Active Directory group). You may have 500 people setup in your Active Directory, but you only want to allow half of them to access the application. A solution for this would be to add all of your users to a group in Active Directory and restrict your web application at a high level.

<authorization>
  <allow roles="domainXXX\GroupXXX" />
  <deny users="*" />
</authorization>

But adding roles restrictions in web.config has a few problems. If you add role restrictions here and you want to whitelist a controller or controller action later on (my case was for a status page to ensure the app was running) then things get a bit tricky. This comes down to mixing the approach of authorizing roles in web.config and attribute based role checking.

What I wanted to do was allow anonymous access to a single controller.

[AllowAnonymous]
public class BuildStatusController : Controller
{
}

But adding this [AllowAnonymous] attribute didn’t work. The role check in web.config seems to override the ability to allow anonymous access to some parts of the application. Basically, an application wide role check in web.config mixed with allowing anonymous access via attributes doesn’t work. My solution was to remove all role checks from config and instead add the basic authorisation check in code when the app starts, so it would be applied application wide. In doing this, any usages of [AllowAnonymous] are honoured.

App_Start/FilterConfig.cs

public static class FilterConfig
{
    public static void RegisterGlobalFilters(GlobalFilterCollection filters)
    {
        if (filters == null)
        {
            throw new ArgumentNullException("filters");
        }

        filters.Add(new HandleErrorAttribute());

        var authorizeAttribute = new AuthorizeAttribute
        {
            Roles = "domainXXX\GroupXXX" // Role = group in Active Directory
        };

        filters.Add(authorizeAttribute);
    }
}

filters.Add(authorizeAttribute);

Now I am ensuring that all users of the application are in a particular group. At the same time, I am allowing anonymous access to some pages which don’t require authorization.