Platform SDK: Logon Authentication |
The ImpersonateSecurityContext function allows security packages to impersonate the caller. This function allows the application server to act as the client, and thus all necessary access controls are enforced.
SECURITY_STATUS ImpersonateSecurityContext( PCtxtHandle phContext // handle of context to impersonate );
If the function succeeds, the return value is SEC_E_OK.
If the function fails, the return value can be the following error code.
Value | Meaning |
---|---|
SEC_E_INVALID_HANDLE | The handle passed to the function is invalid. |
The security package or application server calls the ImpersonateSecurityContext function when it needs to impersonate the caller. Before doing so, the server must have obtained a valid context handle. To obtain the context handle, the server must call AcceptSecurityContext to submit the client's incoming security token to the security system. The server gets a context handle if the inbound context is validated. The function creates an impersonation token and allows the thread or process to run with the impersonation context.
The application server must call the RevertSecurityContext function when it finishes or when it needs to restore its own security context.
ImpersonateSecurityContext is not available with all security packages on all platforms. Typically, it is implemented only on platforms and with security packages for which a call to the QuerySecurityPackageInfo function indicates impersonation support. The caller must also specify ASC_REQ_DELEGATION in the AcceptSecurityContext function.
The prototype for this function can be found in Sspi.h.
Windows NT/2000: Requires Windows NT 3.51 or later.
Windows 95/98: Unsupported.
Header: Declared in Sspi.h; include Security.h.
Library: Use Secur32.lib.
AcceptSecurityContext, QuerySecurityPackageInfo, RevertSecurityContext