Last post Jul 12, 2019 02:19 AM by Nan Yu
Jul 10, 2019 08:27 PM|Baze72|LINK
I have created a view that unlocks user accounts. When testing using the local IIS this works fine. I have now published to the intranet IIS (Windows 2012) and get an access denied. I know it's a windows authorization issue but not sure where.
I have authentication mode="Windows" in the Web.config file and have IIS setup for windows authentications. How can I get my controller to pass the domain users credentials to IIS so I can run my code?
public ActionResult Unlock(string user)
// set up domain context
PrincipalContext ctx = new PrincipalContext(ContextType.Domain);
// find a user
UserPrincipal usr = UserPrincipal.FindByIdentity(ctx, user);
if (usr != null)
// unlock user
Jul 10, 2019 08:35 PM|mgebhard|LINK
I assume the application pool identity (the web application) does not have authority to perform the task. Add a service account to application pool identity that has proper authority to perform the task.
If this is not the issue, then post the actual error message so we're not guessing.
Jul 10, 2019 08:56 PM|Baze72|LINK
That is not really what I want to do. I did get it to work like this:
PrincipalContext ctx = new PrincipalContext(ContextType.Domain, "domain.local", "username", "password");
But I only want users that are domain admins to be able to perform this. Is there a way to use the above code but use the
Jul 10, 2019 09:08 PM|mgebhard|LINK
Use the [Authorize] attribute to restrict access to roles.
You can also craft a custom role provider.
Jul 10, 2019 09:46 PM|Baze72|LINK
I now get a message Your Connection to this site is not private - and prompts me for a username and password. I am a member of the group I specified. Even when I enter the domain admin and password it just keeps prompting me.
OK - that would work. Is it safe to have a password in the controller?
Jul 10, 2019 10:49 PM|mgebhard|LINK
Jul 11, 2019 12:57 PM|Baze72|LINK
Here is the strange thing. Using
[Authorize(Users works fine, bur roles does not?? When using roles in the prompt it says: connecting to then my computer name.domain name.
Jul 12, 2019 02:19 AM|Nan Yu|LINK
For authorization with Active Directory groups , you can add roleManager to your web config :
<authentication mode="Windows" />
<roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider">
Then using with authorize attribute :
[Authorize(Roles = "Domain\\Group")]
public ActionResult Contact()
ViewBag.Message = "Your contact page.";