I'm using the C# sample from MSDN on how to authenticate against an active
directory. What I notice is that I get the list of groups placed in the
ticket, it gets encrypted just great. (I'm watching this in the debugger).
Then when I step through the code and get to the decryption function, it
decrypts the ticket, but my user groups are gone, they are just "", which
causes my "isinrole" checks to fail.

I'm baffled by this.

code snippets from the sample below: "Domain" is a valid appconfig key

// code snippet from login.aspx.cs
// Retrieve the user's groups
string groups = adAuth.GetGroups(Domain,
// Create the authetication ticket
FormsAuthenticationTicket authTicket =
new FormsAuthenticationTicket(1, // version
false, groups);
// Now encrypt the ticket.
string encryptedTicket = FormsAuthentication.Encrypt(authTicket);
// Create a cookie and add the encrypted ticket to the
// cookie as data.
HttpCookie authCookie =
new HttpCookie(FormsAuthentication.FormsCookieName,
// Add the cookie to the outgoing cookies collection.

// Print out the authTicket.UserData to make sure I actually have the groups
Msg.Text = "Authentication succeeded" + "<br>" + "Groups: " +

// The above line is validated by stepping through the debugger, the groups
// although not all of them - Domain users doesn't appear, I'm not sure why
that is
// maybe that is a code problem

// Redirect the user to the originally requested page
FormsAuthentication.RedirectFromLoginPage(UserName .Value, false);

Now as I'm stepping through the code I hit global.asax.cs where I set

// code snippet from global.asax.cs
protected void Application_AuthenticateRequest(Object sender, EventArgs e)
// Extract the forms authentication cookie
string cookieName = FormsAuthentication.FormsCookieName;
HttpCookie authCookie = Context.Request.Cookies[cookieName];
if(null == authCookie)
// There is no authentication cookie.
FormsAuthenticationTicket authTicket = null;
authTicket = FormsAuthentication.Decrypt(authCookie.Value);

When I hit the above try and look at authTicket in the debugger, the
uservalues are "" instead of containing my groups. This is why my "isinrole"
check fails.

So I guess I have two questions:
1) Why do I not pick up all user groups? I pick up the one I created by not
the builtin domain users group, is that by design?
2) Why would a decrypt be successfull, but be missing userdata from the
cookie. All the other data in the ticket looks great.

If anyone can help me resolve this, I'd be grateful.