Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Access denied for [Authorize(Roles = "Administrators")] using Windows Authentication

Tags:

c#

asp.net

asp.net-mvc

asp.net-mvc-4

windows-authentication

I have an ASP.NET MVC 4 site that uses Windows Authentication to restrict user access. On the controller [Authorize(Roles = "Administrators")] is applied.

The site is running on my local machine from IIS. When accessing the site (also from my local machine) access is denied, even though my user account is member of the administrator group.

I've tried specifying the "BUILTIN\Administrators" as suggested in this post: How do I make AuthorizeAttribute work with local Administrators group in ASP.NET MVC 3 intranet application? but without success.

If I create a new group like "TestGroup", assign my user account to the group and use [Authorize(Roles = "TestGroup")] on my controller - I'm then able to gain access to the controller.

Is there some special restriction on the Administrator group (for security reasons maybe?), or is there anything else that could influence the use of the Administrator group?

like image 351
sje Avatar asked Nov 22 '25 19:11

sje

1 Answers

By listing the Claims inside your current ASP.NET Identity:

(System.Web.HttpContext.Current.User.Identity
    as System.Security.Principal.WindowsIdentity)
    .Claims
    .ToArray();

you will see that for the Administrators group (SID: S-1-5-32-544) there is a claim of type denyonlysid. The call to User.IsInRole("Administrators") will then fail.

The whole point, I think, is that the current user is never truly part of the Administrators group, unless you turn off UAC and/or run your browser as an administrator.

I have done both those things (browser is Firefox with NTLM enabled on localhost) and ta-dah, everything works as expected:

System.Web.HttpContext.User.IsInRole("Administrators")  
true
(System.Web.HttpContext.User.Identity
    as System.Security.Principal.WindowsIdentity)
    .Claims
    .ToArray()
{System.Security.Claims.Claim[19]}
[0]: {http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name: Domain\Mauro}
[...]
[8]: {http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid: S-1-5-32-544}

As an end note, you should not use the Administrator group for claims based authentication. Better to introduce custom domain/local groups.

Just my 2 cents.

like image 183
Mauro Avatar answered Nov 25 '25 09:11

Mauro

Sign in to Comment

Related questions

Canon EDSDK MemoryStream Image
How do you use the IS operator with a Type on the left side?
HttpWebRequest Limitations? Or bad implementation
function which takes a string input and removes all the characters which occur a certain number of times
Q# Aggregate Exception Error
how to extract 'copyright status' from JPEG in C#
Inject instance via Controller Factory
Valid approach for generic operators

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!