Impersonation Levels

If impersonation succeeds, it means that the client has agreed to let the server "be" the client to some degree. The varying degrees of impersonation are called impersonation levels, and they indicate how much authority is given to the server when it is impersonating the client.

Currently, there are four impersonation levels: anonymous, identify, impersonate, and delegate. Prior to Windows NT 5.0, the only supported impersonation levels were identify and impersonate. In Windows NT 5.0, delegate-level impersonation is supported. The following list briefly describes each impersonation level.

• At the anonymous level (not currently supported) the client is anonymous to the server. The server process can impersonate the client but the impersonation token does not contain any information about the client.
• At the identify level (RPC_C_IMP_LEVEL_IDENTIFY), which is the system default level, the server can obtain the client's identity. The server can impersonate the client to do ACL checks.
• At the impersonate level (RPC_C_IMP_LEVEL_IMPERSONATE), the server can impersonate the client's security context while acting on behalf of the client. The server can access local resources as the client. If the server is local, it can access network resources as the client. If the server is remote, it can only access resources that are on the same machine as the server.
• The delegate level (RPC_C_IMP_LEVEL_DELEGATE) is the most powerful impersonation level. When this level is selected, the server (whether local or remote) can impersonate the client's security context while acting on behalf of the client. During impersonation, the client's credentials (both local and network) can be passed to any number of machines.

By choosing the impersonation level, the client tells the server how far it can go in impersonating the client. The client sets the impersonation level on the proxy it uses to communicate with the server. For more information, see Setting the Impersonation Level.