Well, I got it running using exec xp_logininfo 'nmp\paleoces', 'members'and looping to extract all members. That works, although it seems to me it's asking the same question, just in a different way. No idea why one way works and the other way bombs.

However, I got to thinking about the process, and I realized that I'm not really asking the database for permission information, as I originally envisioned myself to be. I'm actually just asking for membership information on the current user from the domain controller. I can get the same information directly in the app - there's no need to burden SQL Server and the database server connection with this, since the decisions I make are solely in the app anyway.

In a nutshell, either the app asks the domain controller for some information, or the app asks SQL Server to ask the domain controller for the same information. In hindsight, the second way is just plain dumb. The logic in the app deals with the information the same way in either case.

So, thank you both for the thoughts. Sometimes I have to explain my reasoning to someone else before I see the error I made.