Which principal does PrincipalPermission.Demand() check against?

Question

I have some code in a general library that does authorization checking like this

AppDomain.CurrentDomain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal);    
new PrincipalPermission(null, "AD_GROUP_NAME").Demand();

I'm having some issues when it's called from inside a 3rd party job scheduling framework. The check fails. I've tried figuring out why. When I check the value of WindowsIdentity.GetCurrent().Name it is one user (UserA) and when I check Thread.CurrentPrincipal.Identity.Name it's a different user (UserB). Both users should have the correct access so it shouldn't fail. I suspect that it's checking against something other than these two.

I've made a small test program that only does the check. I've used the Runas command to run it with both UserA and UserB and both pass the check when I do it that way.

I'd love some help figuring out how to get it to work.

Update: I'm pretty sure that the check is done against Thread.CurrentPrincipal (ie. UserB). When I debug, I can see that the principal is a ClaimsPrincipal and not a WindowsPrincipal. I assume that the SetPrincipalPolicy call doesn't have an effect. The documentation seems to hint that the call needs to be done becore the thread is created and it isn't. The 3rd party framework sets up the thread before it reaches my code.

Answer 1

The issue was that Thread.CurrentPrincipal wasen't a Windows principal.

I added some code to set the principal to a new WindowsPrincipal based on WindowsIdentity.GetCurrent(). After I made the authorization check, I restored the principal to the previous value like this

var savedPrincipal = Thread.CurrentPrincipal;
try
{
     Thread.CurrentPrincipal = new WindowsPrincipal(WindowsIdentity.GetCurrent());

     // Call the code that does the authorization check
}
finally
{
     Thread.CurrentPrincipal = savedPrincipal;
}

This also does the check against UserA's rights which is what I would prefer.