通过列出你目前的身份ASP.NET里面的索赔：

By listing the Claims inside your current ASP.NET Identity:

(System.Web.HttpContext.Current.User.Identity
    as System.Security.Principal.WindowsIdentity)
    .Claims
    .ToArray();

您将看到管理员组（ 的SID：S-1-5-32 -544）有型的索赔 denyonlysid 。到调用User.IsInRole（管理员）然后将失败。

you will see that for the Administrators group (SID: S-1-5-32-544) there is a claim of type denyonlysid. The call to User.IsInRole("Administrators") will then fail.

整点，我认为，是当前用户是从来没有真正的Administrators组的一部分，除非你关闭UAC和/或运行浏览器的作为管理员的

The whole point, I think, is that the current user is never truly part of the Administrators group, unless you turn off UAC and/or run your browser as an administrator.

我已经做了两个那些事（浏览器是火狐NTLM在本地主机上启用）和TA-大新，一切按预期工作：

I have done both those things (browser is Firefox with NTLM enabled on localhost) and ta-dah, everything works as expected:

System.Web.HttpContext.User.IsInRole("Administrators")  
true
(System.Web.HttpContext.User.Identity
    as System.Security.Principal.WindowsIdentity)
    .Claims
    .ToArray()
{System.Security.Claims.Claim[19]}
[0]: {http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name: Domain\Mauro}
[...]
[8]: {http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid: S-1-5-32-544}

作为最终音符，你不应该使用管理员组基于声明的身份验证。更好地介绍自定义域/本地组。

As an end note, you should not use the Administrator group for claims based authentication. Better to introduce custom domain/local groups.

只是我的2美分。