As mentioned previously, the cloaking capability determines what identity is presented to a server during impersonation. Cloaking provides a way for a server to project an identity other than its own to another server it is calling on behalf of the client. The impersonation level indicates how much authority the client has given the server.
Impersonation without cloaking works but it may not be the best choice because, in some cases, the final server needs to know the identity of the initial caller. This cannot be achieved without using cloaking. Without using cloaking, which presents the identity of the initial caller, it is difficult to ensure that only authorized clients can access a remote machine. When impersonation is used without cloaking, the identity presented to a downstream server is that of the immediate calling process.
But cloaking is not useful without impersonation. Cloaking only makes sense when the client has set an impersonation level of impersonate or delegate. (With lower impersonation levels, the server cannot make cloaked calls.) Whether cloaking is successful depends on the impersonation level, which indicates how much authority the server has to act on behalf of the client, and on the number of machine boundaries crossed. The following discussion explains how the choice of cloaking and impersonation level affect what happens during impersonation.
In some situations, it makes sense for the server to set cloaking when the client sets the impersonation level to RPC_C_IMP_LEVEL_IMPERSONATE. However, certain limitations are in effect. If the original client sets the impersonation level to RPC_C_IMP_LEVEL_IMPERSONATE, the intermediate server (acting as a client on the same machine) can cloak across only one machine boundary. This is because an impersonate-level impersonation token can only be passed across one machine boundary. Once the machine boundary has been crossed, only local resources can be accessed. The identity presented to the server depends on the type of cloaking that is set. If no cloaking is set, the identity presented to a server will be that of the process making the immediate call.
To cloak over multiple machine boundaries, you must specify both an appropriate cloaking capability flag and delegate-level impersonation. With this type of impersonation, both the local and network credentials of the client are given to the server, so the impersonation token can cross any number of machine boundaries. Again, the identity presented to the server depends on the type of cloaking that is set. If no cloaking is set with delegate-level impersonation, the identity presented to a server is that of the process making the call.
For example, suppose Process A calls B, and B calls C. B has set cloaking and A has set the impersonation level to impersonate. If A, B, and C are on the same machine, passing the impersonation token from A to B and then to C will work. But if A and C are on the same machine, and B is not, passing the token will work between A and B, but not from B to C. The call from B to C will fail because B cannot call C while cloaking. However, if A sets the impersonation level to delegate, the token can be passed from B to C, so the call may succeed.