A lot of enterprises use Active Directory (AD) to manage user accounts and Security Groups to manage access to resources.
So (I think) that there is a common task when you want to create some internal resource that will provide certain functionality for your team, but you do not want to expose your data outside. We can easily enable Windows authentication, however usually we also need to add an authorization(limit access to certain groups)
The task is simple, but I do not know why it is so hard to find manual for this. Steps are as follows:
- Enable Windows authentication in web.config
- Add WindowsTokenRoleProvider that transforms all Security Groups to ASP.NET Roles
- Configure Authorization rules based on roles
- Disable anonymous authentication for IIS Express.
Changes in Web.config:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
...
<system.web>
...
<authentication mode="Windows" />
<authorization>
<allow roles="DOMAIN\MyTeam" />
<deny users="*"/>
</authorization>
<roleManager cacheRolesInCookie="false" defaultProvider="WindowsProvider" enabled="true">
<providers>
<clear />
<add name="WindowsProvider" type="System.Web.Security.WindowsTokenRoleProvider" applicationName="/" />
</providers>
</roleManager>
</system.web>
...
</configuration>
Changes in project file:
<Project ToolsVersion="12.0" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<PropertyGroup>
<Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
<Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
...
<TargetFrameworkVersion>v4.6.1</TargetFrameworkVersion>
<UseIISExpress>true</UseIISExpress>
<IISExpressSSLPort />
<IISExpressAnonymousAuthentication>disabled</IISExpressAnonymousAuthentication>
<IISExpressWindowsAuthentication>enabled</IISExpressWindowsAuthentication>
<IISExpressUseClassicPipelineMode />
<UseGlobalApplicationHostFile />
...
</PropertyGroup>
...
P.S. You can use security groups to restrict access to Controllers/Views based on the roles (AuthorizeAttribute)
Sergey Tihon's Blog 
Are these the same changes needed for ASP.NET Core web applications?
Not the same, but I guess that conceptually similar. You have to Enable NTLM auth when you configure your WebHostBuilder and add something sinmilar to Windoes Role Provider
Is there a way to use the ObjectGUID from AD rather than the name of the secruity group?
In an organization where secruity groups are created automatically based on the organizational hierarchy, them name of the groups are changing.
Do not think so… At least I do not about such functionality, but you could start from here https://msdn.microsoft.com/en-us/library/wce3kxhd.aspx and verify syntax allowed for authorization section. Also you probably could inherit from System.Web.Security.WindowsTokenRoleProvider, implement ObjectGUIDs verification and specify your custom role manager provider in web.config.
NET Core web applications? —
PDRTJS_settings_3680874_comm_6366={“id”:3680874,”unique_id”:”wp-comment-6366″,”title”:”Are%20these%20the%20same%20changes%20needed%20for%20ASP.
No idea
The … section is not needed anymore, if you use visual studio 2017, asp.net mvc.
I mean roleManger section.