Impersonation is the ability of a thread to execute in a security context that is different from the context of the process that owns the thread. When running in the client's security context, the server 'is' the client, to some degree. See https://docs.microsoft.com/en-us/windows/win32/com/impersonation-levels
Original |
Mapped |
Description |
---|---|---|
%%1831 |
XDM_CONST.LOGON_IMPERSONATION_LEVEL_ANONYMOUS |
The client is anonymous to the server. The server process can impersonate the client, but the impersonation token does not contain any information about the client. This level is only supported over the local interprocess communication transport. All other transports silently promote this level to identify. |
%%1832 |
XDM_CONST.LOGON_IMPERSONATION_LEVEL_IDENTIFICATION |
The system default level. The server can obtain the client's identity, and the server can impersonate the client to do ACL checks. |
%%1833 |
XDM_CONST.LOGON_IMPERSONATION_LEVEL_IMPERSONATION |
The server can impersonate the client's security context while acting on behalf of the client. The server can access local resources as the client. If the server is local, it can access network resources as the client. If the server is remote, it can access only resources that are on the same computer as the server. |
%%1840 |
XDM_CONST.LOGON_IMPERSONATION_LEVEL_DELEGATION |
The most powerful impersonation level. When this level is selected, the server (whether local or remote) can impersonate the client's security context while acting on behalf of the client. During impersonation, the client's credentials (both local and network) can be passed to any number of computers. |