G'day Silvio, Thanks for getting back to me.
Any operation we perform on the server as a result of an EM call from the client (ExecuteAsync() etc) does correctly pass authentication information back to the server, so no problems in the 'normal' DevFoce case :)
We host our own MVC Controllers for certain operations (For the same reasons DevForce provides RSMC functionality), however for historical reasons these Controllers (and the actions on them) already exist, so we haven't gone done the RSMC path.
However obviously we'd like to be able to keep making use of the client authentication info from the DevForce session, even though we've bypassed the DevForce WCF link back to the server (we're using Json if it's relevant). Looking at the 6.1.6 API it looked as though we could pass the clients Session GUID to the controller, and then use the Authenticator.Login(Guid) overload to 're-activate' (if that's the best word) the clients session (and associated authentication information) within the scope of the MVC Action.
I'll get to work on a repro sample for you, but hopefully that's a better description of the issue we're currently trying to resolve.