A server with the SE_TCB_NAME privilege, such as a Win32 service running in the LocalSystem account, can call the LogonUser function to log a client on to the server's computer. LogonUser starts a new logon session and returns a primary access token that contains the client's security information. You can use this primary token in a call to the ImpersonateLoggedOnUser function to impersonate the client or in a call to the CreateProcessAsUser function to create a process that runs in the security context of the client.
The advantage of logging on the client is that the server impersonating the logged on client or a process created in the context of the logged on client can connect to remote network resources as the client. If the server does not log on the client, it can connect to network resources only if it knows the account name and password to pass to the WNetAddConnection2 function.
The problem with logging on a client is that the server needs the client's credentials (domain name, user name, and password). If a server gets credentials from a remote client, it is the responsibility of the client and server applications to ensure that the credentials are transmitted in a secure manner. The LogonUser function uses Windows NT authentication which does not transmit the password over the network.