See the question and my original answer on StackOverflow

If the user you want to impersonate is already logged on the machine (for example in another session), here is an answer: Is it possible for a Windows service impersonate a user without a password?

If he's not, you'll have to provide a password to LogonUser. And this password will have to reside at least a small amount of time, as is, in memory because that's the way LogonUser is defined. Note not all auth packages require passwords (like biometrics or smart card: Windows Authentication Overview).

So if you really want impersonation, somewhere you'll have to pass a password around. In this case make sure you use postlagerkarte's code from Microsoft for this: Marshal.SecureStringToGlobalAllocUnicode Method sample code

You can't really do much more.