Clever Geek Handbook

Access Denied for [Authorize (Roles = "Administrators")] using Windows Authentication

I have an ASP.NET MVC 4 site that uses Windows Authentication to restrict user access. On the controller it [Authorize(Roles = "Administrators")]

is applied.

The site is running on my local machine from IIS. When accessing the site (also from my local computer), access is denied even though my user account is a member of the Administrators group.

I tried to specify " BUILTIN\Administrators

" as suggested in this post: How to get the AuthorizeAttribute to work with the local Administrators group in an ASP.NET MVC 3 intranet application?  but unsuccessfully.

If I create a new group like " TestGroup ", assign my user account to the group and use [Authorize(Roles = "TestGroup")]

on my controller - then I can access the controller.

Is there any special limitation in the Administrator group (perhaps for security reasons?), Or is there something else that might affect the use of the Administrator group?

+3


source to share


1 answer


By listing the claims in your current ASP.NET Identity:

(System.Web.HttpContext.Current.User.Identity
    as System.Security.Principal.WindowsIdentity)
    .Claims
    .ToArray();

you will see that there is a type requirement for the Administrators group ( SID : S-1-5-32-544) denyonlysid

. The call User.IsInRole("Administrators")

will result in an error.

The whole point, I think, is that the current user is never part of the Administrators group unless you disable UAC and / or run the browser as administrator.



I did both of these steps (Firefox browser with NTLM support on localhost) and ta-dah, everything works as expected:

System.Web.HttpContext.User.IsInRole("Administrators")  
true
(System.Web.HttpContext.User.Identity
    as System.Security.Principal.WindowsIdentity)
    .Claims
    .ToArray()
{System.Security.Claims.Claim[19]}
[0]: {http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name: Domain\Mauro}
[...]
[8]: {http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid: S-1-5-32-544}

As a final note, you should not use the Administrator group for claims-based authentication. Better to enter custom domain / local groups.

Just my 2 cents.

+1


source






More articles:


All Articles