How Cloaking Determines Client Identity

When a secure call is made and the server asks the client for its identity, it usually gets the identity tied to the proxy. (Sometimes the authentication service performs a translation from the real identity, but generally the proxy identity is the identity the server sees.) The proxy presents an identity to the server that depends on the type of cloaking that is set and other factors.

The following table summarizes the fact that the identity of the client is a function of the cloaking flag set, the process token, the presence or absence of a thread token, and whether the proxy identity has been previously set. The following table shows the resulting proxy identity (client identity) when these factors vary.

Cloaking Flags	Thread Token Presence	Proxy Identity Previously Set	Proxy Identity (client identity)
cloaking not set	don't care	don't care	process token or authentication identity
EOAC_STATIC_CLOAKING	present	No	thread token
EOAC_STATIC_CLOAKING	present	Yes	current proxy identity
EOAC_STATIC_CLOAKING	not present	No	process token
EOAC_STATIC_CLOAKING	not present	Yes	current proxy identity
EOAC_DYNAMIC_CLOAKING	present	don't care	thread token
EOAC_DYNAMIC_CLOAKING	not present	don't care	process token

The following rules explain exactly how the proxy identity is determined:

If the application called CoSetProxyBlanket and specified the authentication information parameter (pAuthInfo), use that information. (You cannot set both cloaking and authentication identity on a call to CoSetProxyBlanket or CoInitializeSecurity.)
If CoSetProxyBlanket was called but the authentication information was not specified and static cloaking is set, and there was a thread token when CoSetProxyBlanket was called, use the thread token from the CoSetProxyBlanket call.
If CoSetProxyBlanket was called but the authentication information was not specified and dynamic cloaking is set, and there is a current thread token, use that thread token.
If pAuthInfo was set in CoInitializeSecurity, use the authentication information from CoInitializeSecurity.
If pAuthInfo was not set in CoInitializeSecurity but static cloaking was set, if this is the first call on the proxy and there is a thread token now, use the current thread token. If this is not the first call on the proxy, use the token chosen on the first call.
If pAuthInfo was not set in CoInitializeSecurity but dynamic cloaking was set, and if there is a current thread token, use the current thread token.
If none of the preceding applies, use the process token.