Here's what I'm trying to do: My (very small) web app exposes a form that is be used by the public. On that form is a link that should be only visible to those who have been assigned to the role of a certain department in my company: "Marketing" via Microsoft's Active Directory. This is the first time I've worked with Microsoft's Active Directory AND with any form of authentication so please be gentle.
I've made the changes to the permissions of the site in IIS AND in my web.config file, at the root, I've added:
<authentication mode="Windows"/>
<authorization>
<allow roles="Marketing"/>
<deny users="*" />
</authorization>
And in the code for the form page, the link is exposed by the following:
@if (User.Identity.IsAuthenticated)
{
<p>@User.Identity.Name</p>
<p></p>
@Html.ActionLink("Access to Backend", "Index", "Requests")
}
I realize that in doing so, the entire form is rendered inaccessible to those outside of the role because the above code doesn't restrict the authentication to a link, but rather is applied to the entire site (due to it being at the root level).
Structure of site is as follows:
--Form Page (open to public)
/Form (with hidden link to the Backend Page/Counts) -- needs to be hidden
---Backend Page (restricted to Marketing page)
/Counts
/Edit
/Delete
/Details
How do I go about restricting it to a small link, and then limiting access to the 'backend' pages of the site to those in the Marketing page?
I know this is over a month old. Sorry it didn't get looked at. Maybe you found an answer, but I'll share anyway.
Take out the authorization tag from your web.config. Instead, apply the role to your controllers (or individual actions) using the AuthorizeAttribute, like this:
[Authorize(Roles = "Marketing")]
With Windows authentication, the roles are AD groups, so you should have a group in the same domain as the server called "Marketing" for this to work. If the group is on a different domain, then you will need to specify the domain, like
[Authorize(Roles = "DOMAIN\Marketing")]