AD Users Works but AD roles or groups don't

Question

I installed and enabled Windows authentication in IIS and in the web.config file of my project and added the [Authorize(Users = "MYDOMAIN\MyAccount") attribute to the controller, just above the Index method so that I could begin testing to be sure no one but those specified could access an IT intranet app I was working on. This worked fine after adding the following to the Web.config:

<system.web>
    <compilation debug="true" targetFramework="4.7.1" />
    <httpRuntime targetFramework="4.6.1" />
    <httpModules>
      <add name="ApplicationInsightsWebTracking" type="Microsoft.ApplicationInsights.Web.ApplicationInsightsHttpModule, Microsoft.AI.Web" />
    </httpModules>
    <authentication mode="Windows" />
    <roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider">
      <providers>
        <clear />
        <add name="AspNetWindowsTokenRoleProvider" type="System.Web.Security.WindowsTokenRoleProvider" applicationName="/" />
      </providers>
    </roleManager>
</system.web>

If I either remove the Users = part of the attribute and change it to Roles = "DOMAIN\\Group", or if I just add that after a comma, it stops working altogether:

[Authorize(Roles = "DOMAIN\\GROUP")]

or

[Authorize(Roles = "DOMAIN\\GROUP", Users = "DOMAIN\Username")]

I'm a member of the AD group I'm specifying yet neither of these work. It only works for the Users alone and at no other time. I'll be prompted for a password otherwise.

I even got it to display the current user I'm logged into Windows as and that's still working fine if I remove the attribute. Yet if I add the attribute back (with the Roles section included) I get a prompt to login despite being logged in as the user specified in the tag.

Here's part of the controller:

public class HomeController : Controller
{
    [Authorize(Users = @"MYDOMAIN\MyAccount", Roles = @"MYDOMAIN\All Information Technology")]
    public ActionResult Index()
    {
        return View();
    }

Here's my RouteConfig.cs

public class RouteConfig
{
    public static void RegisterRoutes(RouteCollection routes)
    {
        routes.IgnoreRoute("{resource}.axd/{*pathInfo}");

        routes.MapRoute(
            name: "Default",
            url: "{controller}/{action}/{id}",
            defaults: new { controller = "Home", action = "Index", id = UrlParameter.Optional }
        );
    }

Why is this not working? What am I missing?

Answer 1

Turns out that for whatever reason, the laptop I was testing on, despite being logged into the domain as an account that was a member of the group in the annotation, was being picked up as my separate domain admin account. So when I added Domain Admins to the authorize list of roles it started working. I've got a whole new problem now, why my app picks up a different account than the one I'm logged in as, but apparently I was doing everything right. See question as a reference.

Answer 2

You are trying to authorize Group instead of Role. Those two things are not one and the same. Unless user will be part of the Role that is authorized to access resource you will always get unauthorized result.

If you want to authorize Group you should inherit and extend AuthorizeAttribute or develop your own authorization attribute implementing IAuthorizationFilter.