diff --git a/src/WINNT/afsd/smb_ioctl.c b/src/WINNT/afsd/smb_ioctl.c
index 85216ffd47..9f38eb88f9 100644
--- a/src/WINNT/afsd/smb_ioctl.c
+++ b/src/WINNT/afsd/smb_ioctl.c
@@ -1032,7 +1032,7 @@ smb_IoctlSetToken(struct smb_ioctl *ioctlp, struct cm_user *userp, afs_uint32 pf
         uname = cm_ParseIoctlStringAlloc(&ioctlp->ioctl, tp);
         tp += strlen(tp) + 1;
 
-        if ((pflags & AFSCALL_FLAG_LOCAL_SYSTEM) && (flags & PIOCTL_LOGON)) {
+        if (flags & PIOCTL_LOGON) {
             /* SMB user name with which to associate tokens */
             smbname = cm_ParseIoctlStringAlloc(&ioctlp->ioctl, tp);
             osi_Log2(smb_logp,"cm_IoctlSetToken for user [%S] smbname [%S]",
@@ -1051,6 +1051,11 @@ smb_IoctlSetToken(struct smb_ioctl *ioctlp, struct cm_user *userp, afs_uint32 pf
             code = CM_ERROR_INVAL;
             goto done;
         }
+
+        if (!(pflags & AFSCALL_FLAG_LOCAL_SYSTEM) && (flags & PIOCTL_LOGON)) {
+            code = CM_ERROR_NOACCESS;
+            goto done;
+        }
     } else {
         cellp = cm_data.rootCellp;
         osi_Log0(smb_logp,"cm_IoctlSetToken - no name specified");
@@ -1100,6 +1105,8 @@ smb_IoctlSetToken(struct smb_ioctl *ioctlp, struct cm_user *userp, afs_uint32 pf
     cm_ResetACLCache(cellp, userp);
 
   done:
+    SecureZeroMemory(sessionKey, sizeof(sessionKey));
+
     if (release_userp)
 	cm_ReleaseUser(userp);