When the OpenAFS Service is configured as an SMB Gateway, all AFS Tokens are associated with Windows user names. With the IFS redirector driver, tokens are associated with Authentication Groups. By default, an authentication group is allocated for each User SID and Logon Session Id combination. In addition, it is possible for processes to create additional Authentication Groups. Each thread in a process can select an Authentication Group within the process as the active Authentication Group.
One of the significant benefits of Authentication Groups within the Windows environment is that Windows services (svchost.exe, csrss.exe, etc.) which impersonate user processes will seamlessly gain access to the user's AFS credentials for the lifetime of the impersonation.