The System.Security.Principal.WindowsPrincipal class was intended, according to MSDN, to allow code to check the Windows group membership of a Windows user. For example, ADO.NET uses this class to access a SQL Server resource when the connection string specifies the usage of Integrated Security by accessing it via the Thread.CurrentThread.CurrentPrincipal property.

Of course, if you are going to have a WindowsPrincipal, you need a System.Security.Principal.WindowsIdentity, a representation of a Windows user, class to interact with it. Unfortunately, you cannot create an identity from a constructor or managed method. Instead, you are restricted to use the Win32 API function LogonUser that's under the advapi32.dll. To gain access to this function, you will need to use Platform Invoke (P/Invoke).

Feel free to download my code example that shows you how to use the DllImport attribute to map a managed signature that maps to the LogonUser API function. Also, I've included a wrapper for the class to create a respective WindowsIdentity/WindowsPrincipal pair. And like always, there's a client that uses some reflection to display all the roles a user belongs to. Later this week, I will try to post a sample of how this library can be used within ASP.NET.

For now, happy coding!