Impersonation

Impersonation is the ability of a thread to execute in a security context different from the that of the process that owns the thread. Typically, a thread in a server application impersonates a client. This allows the server thread to act on behalf of that client to access objects or validate access to its own objects. For example, when a client in a DDE conversation requests information from a DDE server, the server can impersonate the client so the system can verify that the client is allowed access to the information.

The Win32 API provides several ways for a thread to begin an impersonation:

  • A DDE server application can call the DdeImpersonateClient function to impersonate a client.

  • A named-pipe server can call the ImpersonateNamedPipeClient function.

  • You can call the ImpersonateLoggedOnUser function to impersonate the security context of a specifed user.

  • The ImpersonateSelf function enables a thread to generate a copy of its own access token. This is useful when an application needs to change the security context of a single thread. For example, sometimes only one thread of a process requires a special privilege.

  • You can call the SetThreadToken function to cause the target thread to run in the security context of a specified impersonation token.

In all these cases, the impersonating thread can revert to its own security context by calling the RevertToSelf function.

An RPC server can call the RpcImpersonateClient function to impersonate a client. The RPC server calls RpcRevertToSelf or RpcRevertToSelfEx to restore the security context defined for the server thread.

When a thread is impersonating a user, most actions by the thread are done in the security context of the thread's impersonation token rather than the primary token of the process that owns the thread. For example, an individual thread of a server process can impersonate a client to verify that the client is allowed to access a securable object. However, some actions are always done using the security context of the process. For example, if an impersonating thread calls the CreateProcess function, the new process inherits the primary token of the process rather than the impersonation token of the calling thread. Similarly, the system always uses the primary token of the process to validate actions requiring the SE_TCB_NAME privilege.

To create a new process that runs in the security context of an impersonated user, you can use the DuplicateTokenEx and CreateProcessAsUser functions. In a typical scenario, a server thread impersonates a client by calling one of the impersonation functions, such as the ImpersonateNamedPipeClient function. The impersonating thread then calls the OpenThreadToken function to get its own token, which is an impersonation token that has the security context of the client. The thread then calls DuplicateTokenEx to convert its impersonation token into a primary token. You can then pass this primary token in a call to CreateProcessAsUser. Note that a process created by this method may not have access to the network. This is because Windows NT authentication does not send a password from the client to the server, so the new process does not have the credentials to make a network connection to a third machine.

The LogonUser function provides another method for impersonating a user. If your process has the SE_TCB_NAME privilege, it can specify the authentication credentials of a user in a call to LogonUser. If the logon operation is successful, the function returns a primary access token that represents the specified user. You can use this primary token in a call to CreateProcessAsUser to create a process that runs in the security context of the user. Note that in this case, the new process would have access to the network because you supplied the password in the LogonUser call.

The SECURITY_IMPERSONATION_LEVEL enumeration defines four impersonation levels.

Impersonation Level
Meaning
SecurityAnonymous
Indicates the client does not want the server to obtain identification information about the client.
SecurityIdentification
Allows the server to obtain information about the client, such as security identifiers and privileges, without being able to impersonate the client. This is useful for servers that export their own objects, such as a database product that exports tables and views. Using the retrieved client security information, the server is able to make access-validation decisions for itself even though it is unable to use other services as the client.
SecurityImpersonation
Allows the server to impersonate the client's security context on its local system. The server cannot impersonate the client on remote systems.
SecurityDelegation
Windows NT security does not support this impersonation level.

Software for developers
Delphi Components
.Net Components
Software for Android Developers
More information resources
MegaDetailed.Net
Unix Manual Pages
Delphi Examples
Databases for Amazon shops developers
Amazon Categories Database
Browse Nodes Database