Current bits of Geneva framework shipped with a service known as Microsoft "Geneva" Claims To NT Token Service. This service can be used to get a Kerberos token for a user without requiring its password. Windows Server 2003 added a little known extension to Kerberos known as Service-4-User (S4U) and this service internally uses this feature to get a Kerberos token.
S4U tokens usually have some special restriction to avoid their misuse. So if service is not running under LocalSystem account then the returned token will only have impersonation level of Identify, so you can query the returned token for group information etc but you cannot impersonate it to open kernel objects etc. However if the caller is running as LocalSystem then LSA returns a token with the impersonation level of Impersonate and you can indeed impersonate the user and access kernel object on his behalf. “Claims To NT Token Service” runs under LocalSystem – so a token acquired using this service can be used to impersonate as well.
This service is actually exposed using a WCF endpoint and as part of Geneva framework you get a proxy client for this service as well. Here is an example of using this proxy client to get a token.
static void Main(string args)
string filePath = @"C:\temp\data.txt";
var wi = S4UClient.UpnLogon("email@example.com");
using (var wic = wi.Impersonate())
data = File.ReadAllText(filePath);