ASP.NET中的Windows身份验证模式使用Active Directory组名称（Windows 2000之前的版本）？

Question

Here is the background. I had an .NET MVC v1.0 project that I was trying to secure it by using Windows authentication mode. So I set the web.config to:

<authentication mode="Windows" />

And then went into my controller and did the following:

[Authorize(Roles="IT")]
public class LicenseController : Controller

In AD we have a group called "IT" and I am many others are apart of this group. Once I had this in place I started a debug session and tried going to any of the actions in that controller and I was met with a 401. I search high and low looking for somewhere that I had screwed the pooch and couldn't find anything wrong. After a while of struggling I decided to try changing the "Authorize" to a specific user an see if that worked. So I changed it to the following:

[Authorize(Users="domain\\tnederveld")]

And low and behold that worked. So I went and added a different group that I was a member of and took out the users authorize statement and that worked. I started looking into the differences between the two AD groups and the only thing that was different was on the second group I tried the "Group name (pre-Windows 2000):" were the same. The "IT" groups "Group name (pre-Windows 2000):" was "IT Associates". So I tried changing the authorize statement to:

[Authorize(Roles="IT Associates")]

And it started working. I thought for sure this was an MVC issue, so to make sure I tried it on a regular Web Forms project and was meet with the same issue.

The real kicker is that when you use the UserPrincipal that is part of the System.DirectoryServices.AccountManagement it returns the group "IT" when using the .GetGroups() method.

Why is this is happening?

Answer 1

You need to keep apart the various names an entry in AD can have:

• the name per se is typically the CN attribute - the Common Name. This is the "CN=xxx" part in your LDAP string. Here it's IT - and that's what System.DirectoryServices.AccountManagement will return - it's the "Active Directory"'s most common name

• the "IT Associates" name is the pre-Windows 2000 or sAMAccountName - the thing Windows NT used to use before there was AD - a local user and/or group name (SAM = Security Account Management or something like that). The SAM Account Name needs to be unique per domain - even in a huge AD forest these days.

Unfortunately, lots of the Windows API calls are still based on that name - since they are (and need to be) backwards compatible with earlier Windows versions. The ASP.NET membership system uses those calls and thus will use your domain/tnederveld user name and IT Associates group - those are the SAM account names of your objects

Not sure if there's much you can do about it - just be aware that in a AD environment, any of your user or groups has a plethora of "names" - always be very clear about which one you're talking about!

For a detailed list of all AD attributes, see Richard Mueller's excellent web site with Active Directory reference material .