No logon SID in access token coming from SSPI impersonation



It seems there is no logon SID in access token that come from an
SSPI/Kerberos impersonation.

The context: My programs [client/server] uses SSPI API for
impersonation. The SSPI part works well, both
InitializeSecurityContext() and AcceptSecurityContext() return
SEC_E_OK, and I can impersonate and act as the authenticated user on
server side. Now I want retrieve the logon SID of authenticated user:

So I use:
ImpersonateSecurityContext()
OpenThreadToken()

to retrieve authenticated user's impersonation access token.

Then I use:
DuplicateTokenEx()

to retrieve authenticated user's primary access token.
[This token is smart enough to be used in CreateProcessAsUser() and
that CreateProcessAsUser() call succeed, so it's a good strong primary
access token]

Then I use GetLogonSID from [1] to get logon SID referred by this
access token. But none element in TokenGroup's access token is of type
SE_GROUP_LOGON_ID. Thus no logon SID in this access token... and
GetLogonSID() call failed...

Display the logon session with 'logonsessions' tools give me:

C:\> logonsessions
[...]
[8] Logon session 00000000:01afaf46:
User name: STRASBOURG\user
Auth package: Kerberos
Logon type: Network
Session: 0
Sid: S-1-5-21-625047747-450033616-3515863536-1114
Logon time: 1/4/2007 11:27:06 AM
Logon server:
DNS Domain:
UPN:

Thus I have several question:

o I'm wrong doing that way or not?

o Is it possible that some kind of logon session doesn't have logon
SID? [For example non-interactive authentication logon session as
SSPI/Kerberos can do]

I cannot find any documentation focused on that point and all examples
I have found use LogonUser() or assimilate functions to retrieve access
token...

o Can we set a logon SID to an access token? Is it a good way?

o Are there other ways to find the logon SID of a logon session?

Thank

[1] Getting the Logon SID in C++:
http://msdn2.microsoft.com/en-us/library/aa446670.aspx

.