This does not occur in Windows versions later than Windows 2003.
This is not specific to WCF applications, and may occur in other applications doing similar Windows Authentication.
When ServiceSecurityContext tries to negotiate with the client process, it utilizes the authentication package which has a reference to a stale token created during boot time. This results in the new groups being missed out.
The restart of the process/service gets the updated identity as the process does another log on with its identity and gets a new token while restarting. Hence we see the groups under System.Security.Principal.WindowsIdentity after restarting the process but not under ServiceSecurityContext.Current.WindowsIdentity.
Article ID: 2408870 - Last Review: Oct 21, 2010 - Revision: 1