Overview#A server application may need to present a client's identity to resources it accesses on the client's behalf, usually to cause access checks or authentication to be performed against the client's identity. To a certain extent, the server can act under the client's identity—an action referred to as impersonating the client.
Impersonation is the ability of a thread to execute in a security context different from that of the process owning the thread. The server thread uses an Access Token representing the client's credentials, and with this, it can access resources that the client can access.
You might choose to have a server impersonate a client when connecting to a database so that the database can authenticate and authorize the client for itself. Or, if your application accesses files that are protected with a Security Descriptor and to enable the client to obtain authorized access to information in these files, the application can impersonate the client before accessing the files
If impersonation succeeds, it means that the client has agreed to let the server impersonate the client to some degree. The varying degrees of impersonation are called SECURITY_IMPERSONATION_LEVEL, and they indicate how much authority is given to the server when it is impersonating the client.
Currently, there are four SECURITY_IMPERSONATION_LEVEL briefly describes each impersonation level:
The client is anonymous to the server. The server process can impersonate the client, but the Impersonation Token does not contain any information about the client. This level is only supported over the local Inter-Process Communication transport. All other transports silently promote this level to Identification. (displayed as "Impersonation" with Windows Event Log)
The server can impersonate the client's security context while acting on behalf of the client. The server can access local resources as the client. If the server is local, it can access network resources as the client. If the server is remote, it can access only resources that are on the same computer as the server.
The most powerful SECURITY_IMPERSONATION_LEVEL. When this level is selected, the server (whether local or remote) can impersonate the client's security context while acting on behalf of the client. During impersonation, the client's credentials (both local and network) can be passed to any number of computers. (displayed as "Delegation" with Windows Event Log)
For SECURITY_IMPERSONATION_LEVEL at the delegation level, the following requirements must be met:
- The client must set the SECURITY_IMPERSONATION_LEVEL to RPC_C_IMP_LEVEL_DELEGATE.
- The client account must not be marked "Account is sensitive and cannot be delegated" in the Microsoft Active Directory.
- The server account must be marked with the "Trusted for delegation" attribute in the Microsoft Active Directory.
- The computers hosting the client, the server, and any "downstream" servers must all be in an AD DOMAIN.
By choosing the SECURITY_IMPERSONATION_LEVEL, the client tells the server how far it can go in impersonating the client. The client sets the SECURITY_IMPERSONATION_LEVEL on the proxy it uses to communicate with the server.
More Information#There might be more information for this subject on one of the following:
- Event 4624
- Impersonation Token