Protocol transition is a new feature that's been added to Windows Server 2003 domains. Put bluntly, it allows certain designated servers to establish logon sessions with valid Kerberos credentials for an arbitrary domain user without knowing that user's password! As I showed in Item 26, if you're one of these designated servers, you can create a WindowsIdentity for a user, with a real token (Item 16) and logon session (Item 17) behind it. Simply use the WindowsIdentity constructor that takes a single string argument, the user's account name—technically the user principal name (UPN) for the account, which is typically the user's e-mail address.

There are a couple of scenarios where this can be helpful. The ...