UserPrincipal.GetGroups vs. UserPrincipal.GetAuthorizationGroups?
So GetGroups gets all groups of which the user is a direct member,
and GetAuthorizationGroups gets all authorization groups of which the user is a direct or indirect member.
I assume GetAuthorizationGroups() calls in to tokenGroups in AD. To read that, your service account (or IIS machine account if Network Service) needs to be in the Windows Authorization Access group in AD.