diff --git a/winsup/cygwin/sec_auth.cc b/winsup/cygwin/sec_auth.cc
index 1d07e374f..54053dfb5 100644
--- a/winsup/cygwin/sec_auth.cc
+++ b/winsup/cygwin/sec_auth.cc
@@ -907,8 +907,8 @@ create_token (cygsid &usersid, user_groups &new_groups)
   source.SourceIdentifier.HighPart = 0;
   source.SourceIdentifier.LowPart = 0x0101;
 
-  HANDLE token = INVALID_HANDLE_VALUE;
-  HANDLE primary_token = INVALID_HANDLE_VALUE;
+  HANDLE token = NULL;
+  HANDLE primary_token = NULL;
 
   tmp_pathbuf tp;
   PTOKEN_GROUPS my_tok_gsids = NULL;
@@ -1010,6 +1010,7 @@ create_token (cygsid &usersid, user_groups &new_groups)
 	{
 	  __seterrno ();
 	  debug_printf ("DuplicateTokenEx %E");
+	  primary_token = NULL;
 	}
     }
 
diff --git a/winsup/cygwin/syscalls.cc b/winsup/cygwin/syscalls.cc
index 289f4626f..978bd424e 100644
--- a/winsup/cygwin/syscalls.cc
+++ b/winsup/cygwin/syscalls.cc
@@ -3546,10 +3546,9 @@ seteuid32 (uid_t uid)
 	  if (!(new_token = lsaauth (usersid, groups)))
 	    {
 	      debug_printf ("lsaauth failed, try create_token.");
-	      new_token = create_token (usersid, groups);
-	      if (new_token == INVALID_HANDLE_VALUE)
+	      if (!(new_token = create_token (usersid, groups)))
 		{
-		  debug_printf ("create_token failed, bail out of here");
+		  debug_printf ("create_token failed, bail out");
 		  cygheap->user.reimpersonate ();
 		  return -1;
 		}