2.2.1.1.10 Transport-Layer Impersonation Level

  • Article

Some RPC transports have the capability to send the identity of the client with the request to the server. For details on how this information is used by the RPC transport, see the documentation for the RPC transport.

Client implementations of these extensions MUST support the following impersonation levels. These impersonation levels allow protocols above RPC to control which capabilities of the client's identity are made available to the server. If the higher-level protocol does not provide any value for this impersonation level, implementation of these extensions MUST allow the underlying RPC transport to choose the default value.

Currently the only RPC transport listed in section 2.1 that is capable of sending the impersonation level to the server is SMB (ncacn_np). For more on how this information is used by SMB, see the description of impersonation level in [MS-CIFS] section 2.2.4.64.

Value

Meaning

SECURITY_ANONYMOUS

The server cannot obtain identification information about the client, and it cannot impersonate the client.

SECURITY_IDENTIFICATION

The server can obtain information about the security context of the client but cannot impersonate the client's security context.

SECURITY_IMPERSONATION

The server can impersonate the client's security context on the server system but cannot make requests to remote machines using the client security context.

SECURITY_DELEGATION

The server can impersonate the client's security context on the server system and can make requests to remote machines using the client's security context.

Although SECURITY_IMPERSONATION and SECURITY_DELEGATION are permitted values and MAY be specified on either the client or server when the authentication context is negotiated, it is up to the higher-level protocol to interpret the resultant impersonation level (which can be different than what the client or server specified) and perform impersonation or delegation as needed.<23>

Note These transport-layer impersonation levels are separate from the ones specified in section 2.2.1.1.9 in the sense that they are specified separately by an application. Although the security meanings are the same (except that an anonymous level is not supported in section 2.2.1.1.9), the security is applied at different layers; for example, by the transport provider versus the security provider chosen by the application.