I am using windows authentication for an intranet MVC application. I want to add additional logic to the authentication process. In other words as well as existing in AD, the user must also exist in a custom database before they are authenticated.

They should also be to log out of the MVC app, and login again with the same AD identification, but with a different department selected.

I'm not sure of the best way of approaching this, as switching on windows authentication prevents any custom membership provider from being run.

I think You would have to use domain mechanisms, and check if a user is in a Role.

Scott Gu's description:

http://weblogs.asp.net/scottgu/archive/2006/07/12/Recipe_3A00_-Enabling-Windows-Authentication-within-an-Intranet-ASP.NET-Web-application.aspx

MSDN description:

http://msdn.microsoft.com/en-us/library/ff647405.aspx

... this is actually easier than making SQL account permissions in a Domain

if you are using then IE will send through those credentials to IIS. To reduce a dependency and AD being accessible and quick enough you can pull AD information into some tables local to your app, then use those tables. Constantly broadcasting to AD may cause you some app slowness. Once you have a list of AdUsers and Groups then are in, in some local db tables, then when a web site mvc user they can presented with a list of choices of ad groups they belong to. When they have chosen one of the AD Groups they belong to, set the group in the cookie and/or session state. An issue with this is that your AD db tables will need to pulled from ad and updated every so often. Just one of doing it ...