Possible to get a primary token for a user without log on locally or log on through Terminal Services rights?

Question

I have an application which depends on SSPI to forward a user's credentials to a remote service -- so it needs to get a primary token with the "delegation" ability.  However, the security best practices call for disallowing local or network logins to the machine where my application runs.

I'm using LogonUserEx of course.  Is there a way to obtain a handle to a primary token, even for a user who does not have "log on locally" or "log on through Terminal Services"?  The documentation states that I can use LOGON32_LOGON_NETWORK to do a network logon, and then call DuplicateTokenEx to create a primary token out of it.  However in my testing the DuplicateTokenEx call succeeds, but the duplicated token is still an impersonation token without delegation ability.  I'm testing on Windows Server 2008 SP1, and my application is running as a service with Act as part of the Operating System right.

The only other workaround I have is to restrict physical access and block RDP ports, but this makes it more difficult for users who really should be allowed to log in and administer the machine.