Impersonation Tokens
An impersonating thread has two access tokens:
- A primary access token that describes the security context of the server. To get a handle to this token, call the OpenProcessToken function.
- An impersonation access token that describes the security context of the client being impersonated. To get a handle to this token, call the OpenThreadToken function.
A server can use the impersonation token in the following functions:
- In the AccessCheck, AccessCheckByType, and AccessCheckByTypeResultList functions to determine whether a security descriptor allows the client a set of access rights.
- In the AdjustTokenPrivileges function to enable or disable the client's privileges.
- In the PrivilegeCheck function to determine whether a set of privileges are enabled in the client's token.
- In functions that generate entries in the security event log, such as ObjectOpenAuditAlarm or PrivilegedServiceAuditAlarm. These functions use an impersonation token to get information about the client for the log entry.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for