integrating active directory group with windows authentication aspnet mvc 3

Question

I'm using windows authentication in a mvc 3 app, and I want to only some groups of my active directory to access this app. I'm not using [Authorize] attribute in my controllers, just my web.config configuration.

This is how I setup my web.config:

  <system.web>
    <authentication mode="Windows" />
    <authorization>
    <allow roles="EUsers" />
        <deny users="*" />
    </authorization>
  </system.web>
  <system.webServer>
    <validation validateIntegratedModeConfiguration="false" />
    <modules runAllManagedModulesForAllRequests="true" />
    <security>
        <authorization>
            <add accessType="Allow" roles="EUsers" />
            <add accessType="Deny" users="*" />
        </authorization>
    </security>
  </system.webServer>

I also enabled Windows Authentication and ASP.NET Impersation on my IIS Authorize section. I'm trying to access the app with my user (and I'm a member of EUsers), but it's always prompting for my user and password. Did I forget something? Am I doing something wrong?

Answer 1

I'm not using [Authorize] attribute in my controllers, just my web.config configuration.

That simply is wrong. In ASp.NET MVC application you should not use web.config to control authorization. You should use the [Authorize] attribute. So:

[Authorize(Roles = "EUsers")]

Answer 2

I see in the comment section that it is still not working. I believe this may be a result of the "Deny" being explicitly assigned to users = "*" and the permission precedence rules

Here are some rules for resolving permissions conflicts:

"Deny" permissions generally take precedence over "allow" permissions. Permissions applied directly to an object (explicit permissions) take precedence over permissions inherited from a parent (for example from a group). Permissions inherited from near relatives take precedence over permissions inherited from distant predecessors. So permissions inherited from the object's parent folder take precedence over permissions inherited from the object's "grandparent" folder, and so on. Permissions from different user groups that are at the same level (in terms of being directly-set or inherited, and in terms of being "deny" or "allow") are cumulative. So if a user is a member of two groups, one of which has an "allow" permission of "Read" and the other has an "allow" of "Write", the user will have both read and write permission--depending on the other rules above, of course. Although Deny permissions generally take precedence over allow permissions, this is not always the case. An explicit "allow" permission can take precedence over an inherited "deny" permission.

The hierarchy of precedence for the permissions can be summarized as follows, with the higher precedence permissions listed at the top of the list:

1. Explicit Deny
2. Explicit Allow
3. Inherited Deny
4. Inherited Allow