jspωiki
SECURITY_IMPERSONATION_LEVEL

Overview#

A server application may need to present a client's identity to resources it accesses on the client's behalf, usually to cause access checks or authentication to be performed against the client's identity. To a certain extent, the server can act under the client's identity—an action referred to as impersonating the client.

Impersonation is the ability of a thread to execute in a security context different from that of the process owning the thread. The server thread uses an Access Token representing the client's credentials, and with this, it can access resources that the client can access.

Using impersonation ensures that the server can do precisely what the client can do. Access to resources may be either restricted or expanded, depending on what the client has permission to do.

You might choose to have a server impersonate a client when connecting to a database so that the database can authenticate and authorize the client for itself. Or, if your application accesses files that are protected with a Security Descriptor and to enable the client to obtain authorized access to information in these files, the application can impersonate the client before accessing the files

If impersonation succeeds, it means that the client has agreed to let the server impersonate the client to some degree. The varying degrees of impersonation are called SECURITY_IMPERSONATION_LEVEL, and they indicate how much authority is given to the server when it is impersonating the client.

Currently, there are four SECURITY_IMPERSONATION_LEVEL briefly describes each impersonation level:

anonymous (RPC_C_IMP_LEVEL_ANONYMOUS)#

The client is anonymous to the server. The server process can impersonate the client, but the Impersonation Token does not contain any information about the client. This level is only supported over the local Inter-Process Communication transport. All other transports silently promote this level to Identification. (displayed as "Impersonation" with Windows Event Log)

Identification (RPC_C_IMP_LEVEL_IDENTIFY)#

The system default level. The server can obtain the client's identity and privileges of the client, but cannot perform Impersonation the client. (displayed as "Identification" with Windows Event Log)

Impersonation (RPC_C_IMP_LEVEL_IMPERSONATE)#

The server can impersonate the client's security context while acting on behalf of the client. The server can access local resources as the client. If the server is local, it can access network resources as the client. If the server is remote, it can access only resources that are on the same computer as the server.

Delegation (RPC_C_IMP_LEVEL_DELEGATE)#

The most powerful SECURITY_IMPERSONATION_LEVEL. When this level is selected, the server (whether local or remote) can impersonate the client's security context while acting on behalf of the client. During impersonation, the client's credentials (both local and network) can be passed to any number of computers. (displayed as "Delegation" with Windows Event Log)

For SECURITY_IMPERSONATION_LEVEL at the delegation level, the following requirements must be met:

By choosing the SECURITY_IMPERSONATION_LEVEL, the client tells the server how far it can go in impersonating the client. The client sets the SECURITY_IMPERSONATION_LEVEL on the proxy it uses to communicate with the server.

More Information#

There might be more information for this subject on one of the following: