PrincipalPermission only works with some AD groups

Question

The following works perfectly (DOMAIN\DEVELOPERS):

[PrincipalPermission(SecurityAction.Demand,Role="DEVELOPERS")]
public string Test()
{
   return "Works..";
}

The user that runs is a member of this group, so "of course" it works. I have another group, for this WCF service that is named AdvisoryWcfUsers, which contains a couple of users as well as groups (in the AD; so DOMAIN\AdvisoryWcfUsers). I'm 100 percent sure I'm a member of this group, but nevertheless, I get:

System.ServiceModel.Security.SecurityAccessDeniedException: Access is denied

It's not a typo, it just seems that the IIS doesn't have permission to look up this new group. The DEVELOPERS group is an "old" group, while the AdvisoryWcfUsers was created today, for this purpose. Any suggestions?

score 0 · Accepted Answer · answered May 08 '12 at 13:59

Did you log in again after the group was created and you were made a member of it? Windows groups are so called "subauthorities" that are attached to your security token at login. Any change of group memberships is therefore only detected after a login (must be a domain login, not a cached one!).

PrincipalPermission only works with some AD groups

1 Answers1