Impersonation Question


I have a fairly complicated impersonation scenario that I was hoping to get some help on. My system has the following components:

  1. An application running in the context of the logged on user.
  2. A service running as system.
  3. A file system filter driver.

The application and service talk to each other over a named pipe.

During 1 scenario, the following happens:

  1. The service impersonates the application using the NamedPipeServerStream.RunAsClient method (.NET). I’m assuming this basically calls ImpersonateNamedPipeClient (WIN32).
  2. The service then starts making file system calls which are handled by my filter. The filter needs to store the credentials for later use, so it calls SeCreateClientSecurity(). Because some of these requests that come later might be over the network, I specify ServerIsRemote = TRUE. I assume this is correct.

The problem is that this fails because the pipe impersonation routine is not impersonating at the delegation level.

So, my Q: What is the best way of handling this?

  1. Is there a way in the kernel coerce the existing token into being usable for remote operations?

  2. Is there a way to get the pipe impersonation to use the delegation level?

  3. Or should I just roll my own and have the service manually impersonate the client at delegation level.


Follow on questions:

  1. What is the difference between PsImpersonateClient and SeImpersonateClientEx.
  2. If a thread is already impersonating via the named pipe impersonation code, can I just reference the impersonation token using PsReferenceImpersonationToken, and then at a later time use PsImpersonateClient to access a remote resource?