Like all processes, a protected server has a primary access token that describes its security context. When a client connects to a protected server, the server may want to perform actions using the client's security context instead of the server's security context. For example, when a client in a dynamic data exchange (DDE) conversation requests information from a DDE server, the server needs to verify that the client is allowed access to the information.
There are two ways that a server can act in the client's security context.
In most cases, impersonating the client is sufficient. Impersonation enables the server to check the client's access to securable objects, to check the client's privileges, and to generate audit log entries that identify the client. Typically, a server needs to start a client logon session only if it needs to use the client's security context to access network resources.