Normally, impersonation takes place when the server calls either the IServerSecurity::ImpersonateClient method (or the CoImpersonateClient function). However, if you want impersonation to take place before each call to your application, you should set the EOAC_AUTO_IMPERSONATION flag in the dwCapabilities parameter in your call to CoInitializeSecurity. The dwAuthn parameter must not be RPC_C_AUTHN_LEVEL_NONE when auto-impersonation is set.
Because auto-impersonation is a server-side feature, if the client sets the impersonation level to RPC_C_IMP_LEVEL_NONE when auto-impersonation is set, the call from the client to the server will fail.
If the client sets the impersonation level to RPC_C_IMP_LEVEL_IDENTIFY when auto-impersonation is set, the call from the client to the server will succeed, but any reference to a securable object will fail. Because interface marshalling accesses the registry (which is a securable object), interface marshalling will fail -- and as a result, all calls that pass interfaces will fail.
Basically, when the server indicates the need to impersonate but the client does not let him, the call cannot succeed.