I have ASP.NET MVC3 application. We have added Window Based authentication. ON some controller we have to do further authorization.
For example, I want preference page to be view-able for "ABCGroup" I tried to use: IsInRole("ABCGroup") method. It worked if user is directly member of it.
If logged in user is not directly a member of ABCGroup, IsInRole() does not worked. For example, user is a part of administrators group and administrators group is a member of "ABCGroup" then IsInRole("ABCGroup" returns always false if administrators tried to open the application.
As an alternative I created a custom Authorize attribute, that attribute will create the collection of allowable groups (using DirectryEntry class) and then pick the groups collection of the logged in user (using HttpContext.Current.Request.LogonUserIdentity.Groups) and see if in the allowable collection.
It worked but for some domains it failed.
In "ABCGroup" following are the members: 1. administrators
"Adminstrators" have: 1.administrator 2. lab/administrator 3. lab/domain admins
I logged in system as "lab\administrator" [lab is a domain]. I opened the application and it asked me for the credentials. In the credentials dialog if I enter lab.sub.sub2\administrator and then password it worked but I enter "superdomain.lab.sub.sub2\administrator" its failing. By default system is using "superdomain.lab.sub.sub2\administrator" thats why asking for credentials.
Is there some function that will simply verify access capability of a logged in user under a group like LoggedUser.IsInRole(:Role name:)
I saw CheckTokenMembership() but truly could not used that in C# I tried from http://www.pinvoke.net/default.aspx/advapi32.checktokenmembership