In this ASP.NET MVC 3 intranet application (created using MVC 3 Intranet Application template), where users are authenticated automatically against AD, I'm trying to restrict access to a controller to users in the local Administrators group. In order to achieve this, I've tried to apply AuthorizeAttribute like so:

[Authorize(Roles = "Administrators")]
public class ElmahController : Controller

However, even though my AD user (the application reports the expected user has been authenticated) is in the local Administrators group, I cannot gain access to the controller when AuthorizeAttribute is applied. Only a blank page comes up. What am I doing wrong?

On the other hand, I've verified that specifying my particular user works:

[Authorize(Users = @"ad\arve")]
public class ElmahController : Controller

In this case, I can retrieve the restricted page successfully.

EDIT: I found that qualifying the group with BUILTIN worked:

[Authorize(Roles = @"BUILTIN\Administrators")]

Is this the definitive way of referring to local groups via AuthorizeAttribute though??

Follow my tutorial How to Create an Intranet Site Using ASP.NET MVC You need to use the built-in AspNetWindowsTokenRoleProvider class , which uses Windows groups as roles

[Authorize(Roles = @"BUILTIN\Administrators")]

Will only work if you are an admin on the IIS server. If you deploy your application to a production server for your company, you will need to be made a local admin on the production server.

You can a custom AD authorization attribute to place above each action or controller. I have done this before and did something very similar to the link below. This works if you are using forms authentication and not windows.

Active Directory Authorization based on Groups