Using an OWIN AuthenticationHandler within an MVC site, I sign in a user as follows:

var claims = new List<Claim> { new Claim(ClaimTypes.Role, UIRoles.PowerUser) };
var identity = session.ToClaimsIdentity(DefaultAuthenticationTypes.ApplicationCookie, claims);
Context.Authentication.SignIn(identity);

At some point at a later time, I check that the user is a PowerUser:

User.Identity.HasRole(UIRoles.PowerUser)

This works on my local IIS, but once I publish it on a remote IIS machine, it always returns False when I try to check if the user is a PowerUser. Why could this happen? Am I missing something from, say, the IIS server's configuration or within the remote machine's web.config?

I found the cause. It is a bit silly. I was reissuing cookies when I wanted to renew the user's session and the problem was that the SessionInfo object I was renewing these cookies to were being replaced with another SessionInfo object without any extra claims:

session.ToClaimsIdentity(DefaultAuthenticationTypes.ApplicationCookie);

This was wiping the extra claim of UIRoles.PowerUser from the original cookie for me.