Search code examples
c#authorizationasp.net-mvc-5.2

Windows Auth on MVC 5 asks to log in and denies valid user if I add filters

I am working on an internal project that has to authenticate users based on our directory. Originally this was working with these changes:
Web.Config

<system.web>
    <authentication mode="Windows" />
    <authorization>
        <deny users="?"/>
    </authorization>
</system.web>

And in each controller I would add

[Authorize(Roles = @"DOMAIN\Group1, DOMAIN\Group2, DOMAIN\Group3")]

I have windows auth enabled and anon auth disabled in the proj file

Then I got an issue that people in group 2 and 3 couldn't access. In going back to test why this was the issue, it has degraded to the point of not working. It now asks me to log in using the old method, and if enter the correct domain credentials or even the account tied to that it denies access.

The only changes between now and the last test on my end is that our office moved and I had to reset the VM I worked from. On the customer end nothing should have changed.

Here's what I've tried so far and how it's failed:

  • I've tried setting a global authentication filter. Based on it asking me to enter credentials I assume this is proper but I could have something wrong. 
// In filters.config
filters.Add( new AuthorizeAttribute() { @"DOMAIN\Group1, DOMAIN\Group2, DOMAIN\Group3" });
  • I've tried adding the list of allowed roles in web.config, although through some readings I found that is not recommended past MVC 3.
  • I've tried changing the literal string to a normal string and doubling the backslashes, no change there
  • I also did a test to make sure that I was the correct user by removing authorization restrictions and checking user via code below. It came back with CorrectDomain\MyUserName so it seems I still have access to the domain.
user = System.Web.HttpContext.Current.User.Identity.Name;

Any advice is appreciated, I've spent 2 days on this so far and can't find anymore articles or previous questions that provide anything new to try. If any code snippets are required to help with finding the issue I can provide.

Solution

  • Looks like it was related to my network connection at the new office. I was disconnected from my domain. Used this bit of code to verify I wasn't in a forest/domain.

    Forest forest = Forest.GetCurrentForest()

    It threw an error saying I have no current domain.

    I'm guessing the error from the other 2 groups not validating is related to the group names but that's a different issue.