How to secure a MVC 5 ASP.NET Web API by Active Directory group?

Hi Experts,

I am working on a ASP.NET Web API application, currently there is no security on it. The API is working in an internal network. I want to allow only users from a certain Active Directory group to access the web API, for all the routes. I read around the MSDN documentation but haven't found a quick example. Can any body provide me a quick example? or find one?
Below are more details:
1. I am using Visual Studio 2013 and C#.NET
2. The ASP.NET Web API is using MVC 5, it has multiple controllers and all of them needs to be secured by the same AD group
3. The Web API is hosted by IIS 7 in Windows 2008 server.
4. If the API http request is rejected, just need to return some short JSON with error message, without asking user to input identity.

Please help me to make the example or find the example. If there is IIS setting required, please let me know.

Thank you!
huangs3Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

omgangIT ManagerCommented:
I have an MVC5 app that is restricted by AD group.  For each controller action I evaluate the logged on user ( string LoggedInUser = User.Identity.Name; ) and pass it to an extension method that calls a web service to return all AD groups the user ID is a member of.  I then enumerate the groups looking for appropriate match(es).  The key here is that I have an existing web service specifically for the purpose of getting AD information for a user ID.  If you have something similar in your environment then you can simply do what I describe above.  If you don't have a web service to consume you'll need to take another approach.  A few years ago I built a web forms app that needed similar AD group restrictions and I was not aware we had an available web service.  I investigated building the AD lookup functionality within the app and was able to make it work.  I'll see if I still have sample code for that.
OM Gang
huangs3Author Commented:
Hi omgang,

Thank you for your suggestion! Checking the user identity against the AD group is one of the issues that I think I will face.
On another hand, is there any way to check the identity even before the request is routed to a specific action of the controller? In that way I will only need to change the code at one place.

Thank you!
omgangIT ManagerCommented:
This is the ADRoleProvider I experimented with previously
http://www.codeproject.com/Articles/28546/Active-Directory-Roles-Provider
You may want to do some searching to see if there is something newer as this is relatively old.

As for authenticating once I did experiment with using session variables.  There's a good discussion here http://stackoverflow.com/questions/560084/session-variables-in-asp-net-mvc

For my solution I constructed an extension method to handle the AD lookup and simply call it from all my controller actions.  This way, my lookup code is in one place only.

            string LoggedInUser = User.Identity.Name;

            //call class method to determine if logged in user is member of any of the required AD groups
            bool isAgencyUser = LoggedInUser.AuthorizedUser("agency");
            bool isElevatedAgencyUser = LoggedInUser.AuthorizedUser("elevatedAgency");
            bool isAnotherUser = LoggedInUser.AuthorizedUser("another");

Open in new window

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
huangs3Author Commented:
Thank you omgang! I will try it today.
huangs3Author Commented:
We end up using similar idea even though didn't directly use the code.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
ASP.NET

From novice to tech pro — start learning today.