ASP.NET Membership - Which RoleProvider to use so User.IsInRole() checks ActiveDirectory Groups?

Question

Very simple question actually:

I currently have IIS anonymous access disabled, users are automatically logged on using their Windows login. However calling User.IsInRole("Role name") returns false. I double-checked User.Identity.Name() and the "Role name" and it should return true.

I currently have this in my Web.Config:

UPDATE
I was calling User.IsInRole("Role name") where I should call User.IsInRole("DOMAIN\Role name")

However I still like to know if the <membership> entry is needed at all?

What should I change? (and is the <membership> entry needed at all?)

  <authentication mode="Windows">
      <forms
      name=".ADAuthCookie"
      timeout="10" />
  </authentication>


<membership defaultProvider="ADMembershipProvider">
  <providers>
    <clear/>
      <add
         name="ADMembershipProvider"
         type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
         connectionStringName="ADConnectionString"
         connectionUsername="XXX\specialAdUser"
         connectionPassword="xx"
         />
  </providers>
</membership>

<roleManager enabled="true" defaultProvider="WindowsProvider">
  <providers>
    <clear />
      <add name="WindowsProvider" type="System.Web.Security.WindowsTokenRoleProvider" />
  </providers>
</roleManager>

Answer 1

The membership provider here isn't going to help. The ActiveDirectoryMembershipProvider seems to best(only?) fit with Forms authentication.

Answer 2

Pretty sure the only thing you need in there is the roleManager group (along with the base authentication mode='windows' setting)

Answer 3

Out of the box, there's no role provider to use Active Directory directly. You can use the role table in the ASP.NET membership- and role-system, or you can use Authorization Manager (AzMan).

There's an article on CodeProject which shows the implementation of a role provider which works against the Active Directory - with full source code. Maybe this helps?

Marc

Answer 4

BlogEngine.NET has an Active Directory role provider.

Answer 5

If you use Windows authentication IsInRole will work with no extra configuration, as long as you remember to prefix the role with the domain, i.e. DOMAIN\groupName.

In addition you can role (pun intended) your own and use Windows auth against, for example, a SQL Role Provider, where you don't want your AD littered with custom roles for your application.

So no, you don't need the provider configuration at all.