Security Context Tracking During Impersonation (101378)

SUMMARY

When you impersonate a client through a function such as ImpersonateNamedPipeClient, there are two different ways to track the security context of the client. With dynamic tracking, the server applications are continually updated to match changes to the clients security context. With static tracking, the server has the security context of the client at the time the impersonation is done.

The tracking mode, which is defined in the SDK documentation as part of the Security Quality of Service information, can be specified by the server when the named pipe is opened with CreateFile(). In the dwFlagsAndAttributes parameter, specify SECURITY_CONTEXT_TRACKING to enable dynamic tracking. If the client does not specify a level, then the default security tracking mode is static.

MORE INFORMATION

Suppose there are three threads (A, B, and C) where:

A calls B through a named pipe and B does ImpersonateNamedPipeClient

B calls C through a named pipe and C does ImpersonateNamedPipeClient

If B and C both specify dynamic tracking, then the security context of C is continually updated to match the security context of A as long as B and C continue to impersonate.

NOTE: Dynamic tracking is not supported between machines. In the above example, if A and B are on one machine, and C is on a second machine, C would successfully impersonate A via B, but with static tracking.

Delegation past one machine is not supported, either. If A, B, and C were all on separate machines, the call from B to C would not authenticate as A.