Microsoft KB Archive/101378
Security Context Tracking During Impersonation
The information in this article applies to:
- Microsoft Win32 Application Programming Interface (API), included with:
- the operating system: Microsoft Windows NT, versions 3.5, 3.51, 4.0
When you impersonate a client through a function such as ImpersonateNamedPipeClient, there are two different ways to track the security context of the client. With dynamic tracking, the server applications are continually updated to match changes to the clients security context. With static tracking, the server has the security context of the client at the time the impersonation is done.
The tracking mode, which is defined in the SDK documentation as part of the Security Quality of Service information, can be specified by the server when the named pipe is opened with CreateFile(). In the dwFlagsAndAttributes parameter, specify SECURITY_CONTEXT_TRACKING to enable dynamic tracking. If the client does not specify a level, then the default security tracking mode is static.
Suppose there are three threads (A, B, and C) where:
A calls B through a named pipe and B does ImpersonateNamedPipeClient
B calls C through a named pipe and C does ImpersonateNamedPipeClient
If B and C both specify dynamic tracking, then the security context of C is continually updated to match the security context of A as long as B and C continue to impersonate.
NOTE: Dynamic tracking is not supported between machines. In the above example, if A and B are on one machine, and C is on a second machine, C would successfully impersonate A via B, but with static tracking.
Delegation past one machine is not supported, either. If A, B, and C were all on separate machines, the call from B to C would not authenticate as A.
Additional query words: Impersonate Pipe Context Static Dynamic
Keywords : kbnetwork kbAPI kbIPC kbKernBase kbPipes kbSDKPlatform kbGrpDSNet kbGrpDSKernBase
Issue type :
Technology : kbAudDeveloper kbWin32sSearch kbWin32API
Last Reviewed: October 27, 2000