0

I need to use the Roles.GetUsersInRole(role) method to get usernames that should receive an email when an event happens. I am using Windows authentication.

In my web Config:

     <system.web> 
        <authentication mode="Windows" />
        <identity impersonate="false" />
        <roleManager enabled="true"
                 defaultProvider="AspNetWindowsTokenRoleProvider"/>
...
      </system.web>

everything compiles fine however when I call that method I get this error:

The configured Role Provider (WindowsTokenRoleProvider) relies upon Windows authentication to determine the groups that the user is allowed to be a member of. ASP.NET Role Manager cannot be used to manage Windows users and groups. Please use the SQLRoleProvider if you would like to support custom user/role assignment.

Is this a configuration issue? I need to continue to use windows authentication, however I also need to be able to get usernames from the groups.

If there is no configuration setting to accomplish this is there any kind of work around that would get me this functionality?

Improve this question
1
  • Yes, you can use SQL Role Provider to grant access to the MVC Controller in your web application. You can also show / hide the parts of a view using User.IsInRole Method (String) which returns a boolean type. Commented May 12, 2017 at 21:45

1 Answer 1

Reset to default
3

Here is a working sample ASP.NET MVC 4 application that uses Windows Authentication with SQL Server Role Provider.

In the web.configfile under <system.web> section:

<roleManager  enabled="true" defaultProvider="SqlRoleProvider">
  <providers>
    <add name ="SqlRoleProvider"
   type="System.Web.Security.SqlRoleProvider"
   connectionStringName="AspNetMembershipConnString"
   applicationName="MembershipAndRoleProviderSample"/>
  </providers>
</roleManager>

This tells the ASP.NET runtime to use SQL role provider and indicates which connection string to use to locate the database.

Because we are using SQL Role Provider, we need a database where users and roles are stored. To create the database use aspnet_regsql.exe command (on my windows 10 pro machine its under C:\Windows\Microsoft.NET\Framework\v4.0.30319\) which allows to create the schema that holds the users and roles.

Note: When creating the schema through this tool, make sure the database name is the same as given in your connection string in the web.config file (coming up next).

Back to the web.config file add the connection string:

 <connectionStrings>    
    <add connectionString="DATA SOURCE = PersonalLaptop\SQLEXPRESS2014; INITIAL CATALOG = AspNetMembership; INTEGRATED SECURITY = SSPI;"
          name="AspNetMembershipConnString" providerName="System.Data.SqlClient"/>
  </connectionStrings>

Make sure the name of connection string is the same as the one in the SQL role provider section.

Note: You don't need the membership provider because you are using Integrated Windows Authentication mode.

Create a role and add a user

There are two ways to do this:

  1. Open up the SQL database where aspnet_regsql.exe has created the tables and stored procs. Create a new record in aspnet_Users, aspnet_Applications, aspnet_UsersInRoles and aspnet_Roles tables. Since you are using the windows authentication therefore make sure that you add the windows user name (Fully Qualified Domain Name / Local User Name) in the aspnet_Users table.

  2. In the HomeController's Index method use the code:

    Roles.CreateRole("SuperDuperUsers");
Roles.AddUserToRole("<WindowsUserName>", "SuperDuperUsers");

    This will create the role and the user will be added into that role for you.

I have uploaded the sample ASP.NET MVC 4 application on GitHub for you.

In the GitHub repository, the SqlScriptOfTheDatabase.sql file contains the schema that is created to store the users and roles and their relationship. You can use this instead of using the aspnet_regsql.exe command if you want.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thanks for your extremely thorough answer. Im hoping our IT staff can manage the groups through active directory. Is there a way to setup the db so that it will be updated when there is a change in AD?
@user3839756 you are welcome! Since you want to restrict the access to certain parts of your web application based upon the roles that you define in the web.config file, it has to be a manual job. Once you have AD groups set up, you can assign a group to a particular role which will have particular access in your web application. The mapping of AD groups and roles will have to be done manually simply because the business will decide what departments can see or edit what parts of the application. Hope this makes sense.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.