Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. The operating system may not return updated group memberships programmatically for built-in accounts like Network Service and Local Service

The operating system may not return updated group memberships programmatically for built-in accounts like Network Service and Local Service

Symptoms

You have a WCF application (client process) which runs under a built-in system account (such as "Local Service" or "Network Service") which calls into another WCF application (server process) on the same computer. You have created a new user group and added the local built-in system account to this new group. Now you have restarted the WCF application. But, when you try to get the identity of the callee in the server WCF application using ServiceSecurityContext, you observe that the new group is not present in the list of groups present in ServiceSecurityContext.Current.WindowsIdentity.

This does not occur in Windows versions later than Windows 2003.
This is not specific to WCF applications, and may occur in other applications doing similar Windows Authentication.

↑ Back to the top

Cause

When ServiceSecurityContext tries to negotiate with the client process, it utilizes the authentication package which has a reference to a stale token created during boot time. This results in the new groups being missed out.

The restart of the process/service gets the updated identity as the process does another log on with its identity and gets a new token while restarting. Hence we see the groups under System.Security.Principal.WindowsIdentity after restarting the process but not under ServiceSecurityContext.Current.WindowsIdentity.

↑ Back to the top

Resolution

To resolve this problem, you must restart the machine

↑ Back to the top

More Information

Modification of the memberships or other details of a system identity/context is not recommended and we should use user generated identities.

↑ Back to the top

Keywords: vkball, kb

↑ Back to the top

Article Info
Article ID : 2408870
Revision : 1
Created on : 1/8/2017
Published on : 10/21/2010
Exists online : False
Views : 678