What does "impersonation failed to activate for current user" mean?

K

KapsZ28

2[H]4U
Joined
May 29, 2009
Messages
2,114
Long story short, I am working with a third party vendor for encryption software that is not working correctly. The error message, "impersonation failed to activate for current user" shows up in the log file and they keep blaming that as the issue and asking me if I have admin rights on the computer. And yes, I have admin rights.

What I am trying to understand, what does "impersonation failed to activate for current user" even mean? I see all different issues on the Internet with this error message, but I don't really understand what impersonation is other than the dictionary definition.
 
Impersonation within Windows is gaining privileged access of another user. This user could be a normal user, admin, service accounts or system accounts. Are you running this on Windows 7? If so, do you have UAC on?
 
CrimsonKnight13 said:
Impersonation within Windows is gaining privileged access of another user. This user could be a normal user, admin, service accounts or system accounts. Are you running this on Windows 7? If so, do you have UAC on?
Click to expand...

Windows XP.

Basically their encryption software stops our CD-ROM drives from working. Part of the problem is we have a security policy for "allocatecdroms=1" which means "Only the user logged on locally can gain access to data on the compact discs in the CD-ROM drive."

Maybe the problem is the impersonation is trying to run using another account other than the logged on user?

It seems like that would make sense why it is failing. If the software is trying to use a different account, or even modify the existing account, the security policy ends up rejected it because it doesn't see the action happening from the locally logged on user.

Does that seem to make sense?
 
Yeah, the CD-ROM access is based on interactive (local) user access when the security policy is turned on. If it's trying to workaround the security policy, the impersonation will fail.

If you temporarily disable it & the app works, this would be the issue. I'm not sure what user account it's trying to impersonate though...
 
CrimsonKnight13 said:
Yeah, the CD-ROM access is based on interactive (local) user access when the security policy is turned on. If it's trying to workaround the security policy, the impersonation will fail.

If you temporarily disable it & the app works, this would be the issue. I'm not sure what user account it's trying to impersonate though...
Click to expand...

I'll have to check with the software vendor, but at least this issue is starting to make more sense.
 
Ok, so this is what I got back from Credant Support about their software and impersonation.

"The CMG and EMS services run as SYSTEM. It is required to “impersonate” the current logged in user to gain access to user specific data such as the location of their “My Documents” or to get around GPO restrictions that only allow interactive users access to external media."

So if it is trying to impersonate the locally logged in user, then why would it fail?
 
Anything in the logs for the services not starting properly? And are you talking windows event log or a log the software generates?
 
Monkey34 said:
Anything in the logs for the services not starting properly? And are you talking windows event log or a log the software generates?
Click to expand...

The log files generated by the software is what states the impersonation failed. All the services start properly, but I have a theory that the CD-ROM drive is not ready when the EMS service starts and it ends up blocking access to the drive because it doesn't register properly. Although, I don't know why the impersonation would fail if it is only impersonating the logged on user. Unless that also has to do with the CD-ROM drive not being ready. I tried adding a couple dependencies to the EMS service, but that didn't help and according to the software vendor, there is no way to delay the EMS service at start up.

For at least 6 weeks now I have been sending them log files after log files and they haven't really come up with anything. The old version of their software works fine, but can't be used on newer computers with Core I processors. So we have been forced to use newer software which works differently, or should I say, doesn't work right.
 
You must log in or register to reply here.
Back
Top