While working over a windows domain intranet site (with <authentication mode="Windows" />) I came across the following problem:

[Authorize(Roles = "Domain Users, Domain Admins")]
public class MyController: Controller {...}

This controller is not available for any user because of the spaces in the names of the active directory groups. So can I make MVC (or ASP.Net) authorize correctly, while using role names (here: names of AD groups) with spaces?

Just similar questions with no respond:

1. AD Groups with spaces used for roles authorization.
2. How to write AuthorizeAttribute if a role contains space

Create your own attribute and derive from AuthorizeAttribute. Then override the AuthorizeCore method and implement your own logic with validation on a role that contains a space.

An example could be something like this:

public class CustomAuthAttribute : AuthorizeAttribute
{
   private readonly IUserRoleService _userRoleService;
   private string[] _allowedRoles;

   public CustomAuthAttribute(params string[] roles)
   {
      _userRoleService = new UserRoleService();
      _allowedRoles = roles;
   }
   protected override bool AuthorizeCore(HttpContextBase httpContext)
   {
    //something like this.
    var userName = httpContext.User.Identity.Name;
    var userRoles = _userRoleService .GetUserRoles(userName); // return list of strings
    return _allowedRoles.Any(x => userRoles.Contains(x));
   }

}

Usage

[CustomAuth("role withspace","admin")]
public ActionResult Index()
{
}

You can try adding "MyDomain\" in front of your names.

[Authorize(Roles = @"mydomain\Domain Users, mydomain\Domain Admins")]

Remember to add the @ or double up the slashes "\".

Roles containing a space character worked fine when I tried the following:

public static class AppRoles
{
    public const string Manager = @"domain\App Manager";
    public const string Admin = @"domain\App Admin";
}
    
[Authorize(Roles = AppRoles.Admin)] 
public class MyAbcController : Controller
{
    // Code
}

I have successfully been able to use the [Authorize] attribute against Group Names which contain spaces and my own testing has revealed that spaces are indeed allowed in group names within the [Authorize(Roles = "group name"] attribute.

If your claims are originating from Active Directory and your code is attempting to authorize a request based on group membership in a specific Active Directory Group, and if the request is being denied, it is possible that the Group/Role Name you are specifying in fact does not match the claim value contained in the request Identity, and the request will be blocked.

A possible solution:

1. Use Active Directory Users and Computers to locate the Active Directory Group that you wish to authorize.
2. Right-click the group name and choose Properties.
3. Click on the General tab.
4. Locate the field 'Group name (pre-Windows 2000):'
5. Inspect the group name in this field and compare it to what you are using in the [Authorize] attribute in your code.

It is possible that your Active Directory Group Name is different from the pre-Windows 2000 Group Name.

TLDR:

In my case, I discovered that I intended to authorize against the AD Group Name but the [Authorize] process was authorizing against the pre-Windows 2000 Group Name, which caused authorization to fail; the AD Group Name was not the same as the pre-Windows 2000 Group Name.

I may not have arrived at this solution without creating a View to show each claim name and associated claim value. Indeed, it became clear that the claim value contained in the request Identity was not what I expected, and this pointed me back to the Active Directory.

How to install ADUC: Active Directory Users and Computers