Last post Mar 27, 2014 05:43 AM by tvb2727
Mar 26, 2014 08:39 PM|tvb2727|LINK
I am working on an applicaton where we have to authorize to certain pages in MVC3 by their roles/groups in AD. I know you can do User.IsInRole("Domain\GroupName") in Csharp code in a cshtml page or use the Authorize attribute on a controller etc. My question
is this: When I read out all of the roles contained in User.IsInRole() via a Role Principle and a string array - it gives A LOT of groups that the users is just a part of. How is this list tabulated exactly? Of course the reason I am doing this, is if they
have the specific role I am checking for - I expect it to be in the list - other wise they should not have access to that page / controller etc. Just trying to figure out how I get all of these roles when an admin just puts in me a couple of roles, but via
this process it shows me in a lot more role/groups.
Mar 27, 2014 04:05 AM|smirnov|LINK
If you get more roles than expected then it might be due to
a) nested security groups
b) distribution lists
If you use active directory authorization Users.IsInRole checks if the user is member of the given group. It is not exactly the same as checking the groups that the user belongs to, because that only gives the direct memberships. Users.IsInRole also checks
nested group membership. An example:
Now if you check the direct memberships of UserA you will only get GroupA. But Users.IsInRole will indicate that UserA is a member of GroupB thanks to the nesting.
Distribution lists (DL) are public lists that are published as distribution group objects in Active Directory. They are "mail-enabled" and could be used e.g. to send emails. See here some examples on how to get security groups and distribution lists http://msdn.microsoft.com/en-us/library/bb924542%28v=vs.90%29.aspx
Just run ADSI Edit/Active Directory Users and Computers and see exact groups and lists.
Mar 27, 2014 05:43 AM|tvb2727|LINK
This is great. Thanks. I was trying to explain it yesterday and did not do a good job at it :-(