当不在域上时，Azure AD RBAC User.IsInRole引发信任关系错误

Question

I've written ac# app that uses Azure AD. Below is my Startup.Auth.cs file. Everything works fine when I am connected to the domain. However, when I use User.IsInRole when not on domain I get a Trust Relationship error. What could be the cause?

Additionally: Using the [Authorize(Roles="MyRole")] WORKS! The exact error is: The trust relationship between this workstation and the primary domain failed.

// Startup.Auth.cs
    private static string clientId = ConfigurationManager.AppSettings["ida:ClientId"];
    private static string aadInstance = ConfigurationManager.AppSettings["ida:AADInstance"];
    private static string tenantId = ConfigurationManager.AppSettings["ida:TenantId"];
    private static string postLogoutRedirectUri = ConfigurationManager.AppSettings["ida:PostLogoutRedirectUri"];
    private static string redirectUri = ConfigurationManager.AppSettings["ida:RedirectUri"];

    string authority = aadInstance + tenantId;

    public void ConfigureAuth(IAppBuilder app)
    {
        app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

        app.UseCookieAuthentication(new CookieAuthenticationOptions());

        app.UseOpenIdConnectAuthentication(
            new OpenIdConnectAuthenticationOptions
            {
                ClientId = clientId,
                Authority = authority,
                PostLogoutRedirectUri = postLogoutRedirectUri,
                RedirectUri = redirectUri,
                TokenValidationParameters = new System.IdentityModel.Tokens.TokenValidationParameters()
                {
                    ValidateIssuer = true, // For Single-Tenant App.
                    RoleClaimType = "roles" // Grab roles when user authenticates.
                },

                Notifications = new OpenIdConnectAuthenticationNotifications()
                {
                    AuthenticationFailed = (context) =>
                    {
                        return System.Threading.Tasks.Task.FromResult(0);
                    }
                }

            });
        // This makes any middleware defined above this line run before the Authorization rule is applied in web.config
        app.UseStageMarker(PipelineStage.Authenticate);
    }

Answer 1

I finally figured this out. Here is an example of what I was doing in my controller:

var entitiesToDisplay = db.myEntities
     .where(x => x.RequiredRole == string.empty || User.IsInRole(x.RequiredRole);

I changed this to:

IEnumerable<Entities> entitiesToDisplay;
if (Request.IsAuthenticated) {
    entitiesToDisplay = db.myEntities
     .where(x => x.RequiredRole == string.empty || User.IsInRole(x.RequiredRole);
}
else {
    entitiesToDisplay = new List();
}

Ultimately, it turns out that User.IsInRole throws the exception when Request.IsAuthenticated i not true. Checking Request.IsAuthenticated resolved my issue.