I think your User objects needs to contain the domain:username style value. This value is used in all sorts of places so it needs to contain the fully qualified username to work. As for checking the authentication everytime, this will only happen if you configure it to do this. I'm pretty sure it doesn't do this by default. I'm not quite sure what the question about "returnUsername" is.