SecurityAction.Demand Fails in Asp.Net 2.0 N-Tier Environment

After a great deal of research and investigation I must concede defeat
and ask the help of the experts. In ASP.Net 1.1 I used to attach roles
to the current context in the AuthenticateRequest event as such:

protected void Application_AuthenticateRequest(Object sender, EventArgs
e) {
// pull astrActions from the FormsAuthentication cookie
HttpContext.Current.User = new
GenericPrincipal(Context.User.Identity, astrActions);
}

In my middle tier I could then mark my methods with declarative
security with:

[PrincipalPermission(SecurityAction.Demand, Role="Administrators")]

Or use the
System.Threading.Thread.CurrentPrincipal.IsInRole("Administrators")
approach for more granularity.

Now that I've moved to ASP.Net 2.0 I have tried the exact same approach
and all works fine except: the SecurityAction.Demand statement never
denies anyone access for middle-tier components. What's crazy is that
the IsInRole works correctly in middle tier components and the
SecurityAction.Demand work in the code behind pages of aspx pages!

I've tried on different machines and always the same result. I've also
tried using the nice membership provider features instead of the
Application_AuthenticateRequest apporach: same result.

Since the IsInRole works and the SecurityAction.Demand doesn't, I'm
beginning to wonder if this is a bug. It seems like too big of an
issue to be something Microsoft might have missed, but I am running out
of ideas. Any help would be greatly appreciated.

.