HttpContext.Current.Request.LogonUserIdentity.Groups returns different results

Question

I'm trying to use MVC Authorize attribute on a particular controller in my MVC intranet application using Windows authentication. IIS 7.5 is set to use Windows Authentication only, and anonymous access is off in web.config. I am authenticated to the domain, However, I still get prompted for credentials when any action on the controller is executed. I checked my browser settings ( IE9 ) and it is set to automatically log in with my current Windows credentials.

I tried to create a custom Authorize Attribute class to see what was going on. Inside AuthorizeCore, I checked my user name and group membership using httpContext. I found that there was a group missing from System.Web.HttpContext.Current.Request.LogonUserIdentity.Groups that I belong to. Once authorizecore returns false and the prompt for credentials appears, I supply the same credentials that I am currently logged in with and AuthorizeCore runs again. This time, all the appropriate groups are found and the base AuthorizeCore of course authorizes the user and everything works fine. Here is the custom Authorization class I created so

public class MyAuthorize : AuthorizeAttribute
{
    protected override bool AuthorizeCore(HttpContextBase httpContext)
    {
        bool chk = httpContext.User.IsInRole("mydomain\\heavyequipadmin");

        // this is just to see what AD groups are provided for the current user   
        ArrayList groups = new ArrayList();
        foreach (System.Security.Principal.IdentityReference group in System.Web.HttpContext.Current.Request.LogonUserIdentity.Groups)
        {
            groups.Add(group.Translate(typeof(System.Security.Principal.NTAccount)).ToString());
        }

        // just run the base method to Authorize 
        return base.AuthorizeCore(httpContext);
    }
}

The attribute on my entire controller is:

[MyAuthorize(Roles = "mydomain\\HeavyEquipAdmin")]

One other thing, the role manager in web.config is:

 <roleManager defaultProvider="AspNetWindowsTokenRoleProvider" />

Is there something that I am not understanding with regard to how this is supposed to work? I simply want my authentication / authorization to be handled by AD. I am fairly new at MVC and honestly configuring any authentication/authorization scheme. I did download the source for MVC 3 to look at the code for AuthorizeAttribute class to see if there is something that would make sense to me . Any advise here would be appreciated!

Answer 1

ANONYMOUSE USER PLAYS A ROLE HERE: If on IIS anonymouse user us allowed, then System.Web.HttpContext.Current.Request.LogonUserIdentity.Name takes the user configured as anonymous in IIS. otherwise it takes currently logged in user.