ImpersonateSecurityContext

The ImpersonateSecurityContext function allows service providers to impersonate the caller. This function allows the application server to act as the client, and thus all necessary access controls are enforced.

SECURITY_STATUS ImpersonateSecurityContext(
  PCtxtHandle phContext  // handle of context to impersonate
);
 

Parameters

phContext
Handle of the context to impersonate. This handle must have been obtained in a call to the AcceptSecurityContext function.

Return Values

If the function succeeds, the return value is SEC_E_OK.

If the function fails, the return value can be the following error code.

Value Meaning
SEC_E_INVALID_HANDLE The handle passed to the function is invalid.

Remarks

The service provider or application server calls the ImpersonateSecurityContext function when it needs to impersonate the caller. The server must have obtained a valid context handle by submitting to the security system the incoming security token from the client through the AcceptSecurityContext function. The server ends up with a context handle if the inbound context was validated successfully. The function creates an impersonation token and allows the thread or process to run with the impersonation context.

The application server must call the RevertSecurityContext function when it has finished or when it needs to restore its own security context.

Typically, ImpersonateSecurityContext is implemented only on security packages for which a call to the QuerySecurityPackageInfo function indicates impersonation support. The caller must also specify ASC_REQ_DELEGATION in the AcceptSecurityContext function.

See Also

AcceptSecurityContext, QuerySecurityPackageInfo, RevertSecurityContext