impersonation

Impersonation is, generally, a mechanism for supporting client/server communication.

What is Impersonation?

Generally, a mechanism for supporting client/server communication. In Microsoft Windows NT and Windows 2000, impersonation is a method that a server uses to determine whether a client has sufficient rights to access a resource.

How It Works

Impersonation involves temporarily altering the security context of the server so that it matches that of the client. When the client attempts a connection to a resource on the server, it tells the server the impersonation level that the server can use to service the client’s request. The client can offer four impersonation levels:

  • Anonymous:
    The server does not receive any information about the security context of the client.

     

  • Identification:
    The server can authenticate the client but cannot use the security context of the client for performing access checks.

     

  • Impersonation:
    The server can both authenticate the client and use the client’s security context to perform access checks.

     

  • Delegation:
    The server authenticates the client and passes the client’s security context to a remote server on the client’s behalf. Delegation is not supported by the NTLM authentication method of Windows NT Server, but delegation is supported by the Kerberos authentication method of Windows 2000.

     

An example of impersonation occurs when anonymous access is enabled on a Web site hosted on Internet Information Services (IIS). Anonymous access uses the IUSR_ComputerName anonymous account on the IIS server, which is part of the Guests local group.

If an IIS machine receives a Hypertext Transfer Protocol (HTTP) request from a remote Web browser, IIS impersonates the IUSR_ComputerName account so that it can allow the remote client to access the requested files or run the requested application.

This prevents access to system files on the IIS machine by the remote client.