I have been using WindowsPrincipal.IsInRole(string) to check whether a user has access to certain controller functions and all has been working well. A new requirement meant that users from a second domain needed to access the intranet site so matching AD groups were created within the second domain and those users were assigned to those groups.
These users could connect but their access was intermittent - sometimes they got the restricted views and sometimes they did not. It was noted that as they connected users from the original domain seemed to lose all of their access to the restricted views.
The original code looks a bit like this (note no domain prefixes):
if (User.IsInRole("GroupName1"))
{
return View("GroupName1");
}
if (User.IsInRole("GroupName2"))
{
return View("GroupName2");
}
return View("GroupNameNone");
Originally users from AD1\GroupName1 got view GroupName1 but as soon as a user from AD2\GroupName1 connected the original user was served with the GroupNameNone view. As people connect/disconnect which user passes the check seems to change.
So my question is what happens here? Is the group name being looked up and a SID cached (or similar) in the background? This seems to fit as the cached SID would change as users from different domains connect.
I am also assuming (but cannot yet test) that prefixing the checks with the domain (as below) will solve the issue, does anyone have an opinion on that or do we need to create differently named AD groups in the different domains?
Domain specific code:
if (User.IsInRole(@"AD1\GroupName1") || User.IsInRole(@"AD2\GroupName1"))
{
return View("GroupName1");
}
if (User.IsInRole(@"AD1\GroupName2") User.IsInRole(@"AD2\GroupName2"))
{
return View("GroupName2");
}
return View("GroupNameNone");
Many thanks for any assistance.