There are two “roles” in the system,users will have one of the roles.
One role should allows access to some APIs (call it “VIEW”),the other
role allows access to other APIs

>对于基于角色的身份验证,您可以使用[Authorize(“Role”=“Manager”)].令牌将由身份服务器提供,并将声明包含为角色.

All users are in Active Directory,so if I have a username,I can
check what role they are in- Some clients are on Windows Boxes,the
others are on Linux

>如果您有ADFS,那么您可以拥有一个信任ADFS的身份服务器. ADFS将提供一个令牌,它将具有对角色的声明,并且您的Identity Server将进行声明转换,并将相同的角色声明返回到角度应用程序.

I would like to persist the session so I don’t have to look up AD for
every API call

>在请求令牌时,您可以要求离线范围,以便身份服务器将提供具有访问令牌的刷新令牌,以便您不需要一次又一次地要求AD.

I would like single sign on. On the Windows machines,I don’t require
them to enter user and pass as I already can retrieve their username
using Windows Authentication.

>对于这一个,您可以让您的Identity Server信任Windows身份验证的WSFederation.

因此,基本上您需要设置身份服务器,该服务器将为您提供令牌,REST API将使用该令牌来验证声明以将正确的信息返回给用户.