Server-Side Requirements for Impersonation

The server performs impersonation programmatically. It explicitly assumes the client's security credentials by using CoImpersonateClient. When the client has granted the server sufficient authority, this has the effect of substituting the client's security credentials with the server thread token, in place of the process token.

When this has been done, the server can, for example, use the client token to access resources guarded with a security descriptor. Or it can make calls under the client identity, if cloaking is enabled.

The server can explicitly set cloaking programmatically, or it can rely on an administrative setting. By default, COM+ applications are configured to use dynamic cloaking. For more detail, see Cloaking.

If the server is implementing delegation on behalf of the client—using the client identity over network—the server process identity must be marked as "Trusted for delegation" in the Active Directory Service; otherwise, delegation will fail.

When it has finished using the client's identity, the server can revert to its own process token using CoRevertToSelf.

For details on implementing impersonation and delegation, see Delegation and Impersonation.

Client Impersonation and Delegation

Client-Side Requirements for Impersonation

Cloaking