The previous samples have been exclusively using a username in a UPN format: firstname.lastname@example.org. Even though the full configuration for the samples was not shown, they were using the ActiveDirectoryMembershipProvider configuration shown in Chapter 13. This allowed me to first log in with forms authentication against the directory, and then AuthorizationStoreRoleProvider initialized its client context with the same UPN. The nice thing about the UPN format is that using both the Membership and Role Manager providers together works.
Logging in with a UPN places that value in the forms authentication ticket. When it comes time for AuthorizationStoreRoleProvider to fetch role information for the user, it calls InitializeClientContextFromName to set up the client context. This method accepts and parses usernames following the same rules defined in the Win32 API method LookupAccountName. UPNs provide unambiguous identification of a user account, which is why UPN style usernames work well with both providers.
Problems can arise, though, if your Membership provider is configured to use the sAMAccountName attribute. Because ActiveDirectoryMembershipProvider already knows the domain that it operates in, the provider does not allow the username parameter to include the DOMAIN portion. As a result, if you validate a forms authentication login with ActiveDirectoryMembershipProvider, the username that ends up in FormsAuthenticationTicket