Impersonation and Delegation in COM+

Impersonation is the process by which a server makes a call on behalf of a client and presents the client's identity and credentials in place of its own when making the call. In some circumstances, a server needs to present a client's identity to resources it accesses on the client's behalf, usually to cause access checks or authentication to be performed against the client's identity.

Using impersonation ensures that the server can do precisely what the client can do. Access to resources may be either restricted or expanded, depending on what the client has permission to do.

You might choose to have a server impersonate a client when connecting to a database so that the database can authenticate and authorize the client for itself. Or, if your application accesses files that are protected with a security descriptor and to ensure that the client can obtain authorized access only to information in these files, the application can impersonate the client before accessing the files.

When a COM+ application makes a call to another application or resource, it expresses an impersonation level. For COM+ server applications, you can set an impersonation level administratively. COM+ library applications cannot set their own impersonation level; they use that of the host process instead.

Administrative Requirements for Delegate-Level Impersonation

Delegation is server impersonation of a client over the network; that is, the application, as a server, is making calls to other applications on remote machines and using the client's identity with the client's permission. Because this is a very powerful level of authority to grant an application, with potential security risks, the behavior of delegation is controlled administratively through the Active Directory service. When a client application is granting a server permission to do delegate-level impersonation, the following two requirements must be met for it to work:

For a description of impersonation levels, see Impersonation Level.

For step-by-step instructions on setting the impersonation level of COM+ server applications, see Setting an Impersonation Level in COM+.

For step-by-step instructions on configuring delegation in Active Directory, see Configuring an Account for Delegation Using Active Directory.