RPC_C_IMP_LEVEL_xxx
[This is preliminary documentation and subject to change.]
Used in the security functions and interfaces to specify the impersonation level.
Values
-
RPC_C_IMP_LEVEL_DEFAULT
-
Tells DCOM to choose the impersonation level by using its normal security blanket negotiation algorithm. This value can be used with Windows NT 5.0 and later versions. For more information, see Security Blanket Negotiation.
-
RPC_C_IMP_LEVEL_ANONYMOUS
-
(Not supported in this release.) The client is anonymous to the server. The server process can impersonate the client, but the impersonation token will not contain any information and cannot be used for anything.
-
RPC_C_IMP_LEVEL_IDENTIFY
-
The server can obtain the client's identity. The server can impersonate the client for ACL checking, but cannot access system objects as the client.
Note GetUserName will fail while impersonating at identify level. The workaround is to impersonate, OpenThreadToken, revert, call GetTokenInformation, and finally, call LookupAccountSid.
-
RPC_C_IMP_LEVEL_IMPERSONATE
-
The server process can impersonate the client's security context while acting on behalf of the client. This level of impersonation can be used to access local resources such as files. When impersonating at this level, the impersonation token can only be passed across one machine boundary. In order for the impersonation token to be passed, you must use Cloaking, which is available in Windows NT 5.0.
-
RPC_C_IMP_LEVEL_DELEGATE
-
Supported for Windows NT 5.0 and later versions. The server process can impersonate the client's security context while acting on behalf of the client. The server process can also make outgoing calls to other servers while acting on behalf of the client, using Cloaking. The server may use the client's security context on other machines to access local and remote resources as the client. When impersonating at this level, the impersonation token can be passed across any number of machine boundaries.
Comments
Only the RPC_C_IMP_LEVEL_IDENTIFY and RPC_C_IMP_LEVEL_IMPERSONATE levels are supported in Windows NT 4.0. In Windows NT 5.0, RPC_C_IMP_LEVEL_DELEGATE is supported as well.
Using CoSetProxyBlanket, the client sets the impersonation level and proxy identity that will be available when a server calls CoImpersonateClient. The identity the server will see when impersonating takes place is described in How Cloaking Determines Client Identity. Note that when making a call while impersonating, the callee will normally receive the caller's process token, not the caller's impersonation token. To receive the caller's impersonation token, the caller must enable cloaking.
QuickInfo
Windows NT: Use version 3.1 and later.
Windows: Use Windows 95 and later.
Windows CE: Unsupported.
Header: Declared in rpcdce.h.
See Also
CoInitializeSecurity, Cloaking and Impersonation Levels