ASP.Net MVC app- Authorization performs differently on staging server

Question

We are developing an ASP.Net MVC intranet style app and attempting to leverage windows authentication as the vast majority of users are internal and pre-authenticated to a local domain.

Authentication is implemented in a fairly standard way, except for role information which we have opted to store in our database. We have implemented this in two different ways, (custom RoleProvider and override Context.User-- IsInRole) both of which meet the requirement and work without issue in the development environment hosted on both IIS Express and local IIS servers.

The problem is once we move the app to a staging environment, which is still on the same local network/domin, neither authentication method works. Both methods appear to be ignored, with the windows authentication role provider taking over.

To demonstrate this I have a chunk of code in my Home/Index page which enumerates the windows domain groups and tests User.IsInRole for each of them, in addition to User.IsInRole("Users") (a custom role). Under development environment each Windows group returns false, whilst the custom role returns true. Under staging environment the opposite is true.

I am happy with either method of achieving the desired outcome, so I am after some pointers as to why either of the following simply do not work.

• Custom role provider is not taking effect

• Global.asax "Application_AuthenticateRequest" event never fires, thus custom User object with overridden IsInRole method is not used.

  protected void Application_AuthenticateRequest(Object sender, EventArgs e) { if (Context.User != null) Context.User = new UserPrincipal(Context.User.Identity); }

Server 2008, IIS 7, MVC 5.1

Thank you in advance.

Answer 1

The issue was I followed a recommendation to remove runAllManagedModulesForAllRequests="true" from the modules section of my application's web.config, however this caused the relevant application events to cease firing (as the module wasn't registered).

See article here, and further info regarding this issue in the comments. http://www.britishdeveloper.co.uk/2010/06/dont-use-modules-runallmanagedmodulesfo.html

Replacing the runAllManagedModulesForAllRequests="true" attribute has now resolved the issue, however I'm attempting to install the MS provided hotfix which is mentioned to remove reliance on this and/or manually registered modules.