I get questions every now and then why there are these two events and which one to use for what. The way I like to think about it:

• If you change the IIdentity – use AuthenticateRequest.
• If you change the IPrincipal – use PostAuthenticateRequest.

So – the built-in auth modules (Forms/Windows) establish a user identity, meaning they set Context.User.Identity – this is done in AuthenticateRequest. Another example would be when you implement your own auth mechanism (e.g. basic authentication against custom accounts).

Adding roles to an already established identity is done in PostAuthenticateRequest. RoleManager would be an example of a built-in functionality (and read this if you are doing stuff like that).

Following these rules, you achieve the best extensibility and pluggability.

To follow Rich’ great analogy – it is like the pirate guidelines in “The Pirates of the Carribean” – you don’t have to follow these guidelines, but it would be better if you do.