I am attempting to authorise users against Active Directory in my ASP .NET MVC3 web application. Not only do I want force the user to login and authorise that against the users in the directory, but I also want to authorise users against the groups they are in, along the lines of this:
[Authorize(Roles = @"DOMAIN\Group")]
Every example I’m seeing does it for Windows authentication. I am using Forms authentication. The important parts of my Web.config are as follows:
<add name="ADConnectionString" connectionString="LDAP://blahblahblah" />
<authentication mode="Forms">
<forms name="AD" loginUrl="~/Account/LogOn" />
</authentication>
<membership defaultProvider="ADMembershipProvider">
<providers>
<clear />
<add name="ADMembershipProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider"
connectionStringName="ADConnectionString"
attributeMapUsername="sAMAccountName" />
</providers>
</membership>
<roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider">
<providers>
<clear />
<add name="AspNetWindowsTokenRoleProvider"
type="System.Web.Security.WindowsTokenRoleProvider"
/>
</providers>
</roleManager>
I currently get an error that says
Method is only supported if the user name parameter matches the user
name in the current Windows Identity.
Is it possible to do this using Forms authentication and how should I configure my app?
From my research, it seems that the answer is no, you can’t use Forms authentication with a WindowsTokenRoleProvider. See here:
How can I provide an ASP.NET Forms Authentication UX while using Active Directory Role and Authentication providers?
Instead I have done what I did in ASP .NET MVC 2 which is to implement my own
AuthorizeAttribute:ASP .NET MVC Forms authorization with Active Directory groups