The operating system may not return updated group memberships programmatically for built-in accounts like Network Service and Local Service


Symptoms


You have a WCF application (client process) which runs under a built-in system account (such as "Local Service" or "Network Service") which calls into another WCF application (server process) on the same computer. You have created a new user group and added the local built-in system account to this new group. Now you have restarted the WCF application. But, when you try to get the identity of the callee in the server WCF application using ServiceSecurityContext, you observe that the new group is not present in the list of groups present in ServiceSecurityContext.Current.WindowsIdentity.

This does not occur in Windows versions later than Windows 2003.
This is not specific to WCF applications, and may occur in other applications doing similar Windows Authentication.

Cause


When ServiceSecurityContext tries to negotiate with the client process, it utilizes the authentication package which has a reference to a stale token created during boot time. This results in the new groups being missed out.

The restart of the process/service gets the updated identity as the process does another log on with its identity and gets a new token while restarting. Hence we see the groups under System.Security.Principal.WindowsIdentity after restarting the process but not under ServiceSecurityContext.Current.WindowsIdentity.

Resolution


To resolve this problem, you must restart the machine

More Information


Modification of the memberships or other details of a system identity/context is not recommended and we should use user generated identities.