3

Is calling ImpersonateSecurityContext on the server impersonating the client on the calling thread or for the entire process. The documentation is a bit vague on the matter as it states that "The function creates an impersonation token and allows the thread or process to run with the impersonation context".

I assume that impersonation is only for the calling thread, anything else would be strange, but I want to be sure.

dalle
  • 18,057
  • 5
  • 57
  • 81

1 Answers1

5

Per MSDN:

Client Impersonation

Impersonation is the ability of a thread to execute using different security information than the process that owns the thread. Typically, a thread in a server application impersonates a client. This allows the server thread to act on behalf of that client to access objects on the server or validate access to the client's own objects.

The Microsoft Windows API provides the following functions to begin an impersonation:
...
- A security package or application server can call the ImpersonateSecurityContext function to impersonate a client.

So Impersonation is done on a per-thread basis.

Impersonation can be used to spawn a new process as the impersonated user (by using DuplicateTokenEx() and CreateProcessAsUser()) but impersonation never makes the calling process run as the impersonated user, only the calling thread.

In a server context, where multiple clients can be connected at the same time, it would be very dangerous if client impersonation was applied on a process-wide basic.

Remy Lebeau
  • 555,201
  • 31
  • 458
  • 770
  • I understand that it would be strange, dangerous and outright stupid if impersonation was process-wide, but I have not found any documentation that states it is per-thread. Do you have some official documentation to support this? – dalle Jan 19 '15 at 20:35