diff --git a/winsup/cygwin/ChangeLog b/winsup/cygwin/ChangeLog
index fdaaf2b99..2909ce10d 100644
--- a/winsup/cygwin/ChangeLog
+++ b/winsup/cygwin/ChangeLog
@@ -1,3 +1,8 @@
+2008-12-15  Corinna Vinschen  <corinna@vinschen.de>
+
+	* sec_auth.cc (open_local_policy): Set lsa handle to
+	INVALID_HANDLE_VALUE when LsaOpenPolicy fails.  Explain why.
+
 2008-12-15  Corinna Vinschen  <corinna@vinschen.de>
 
 	* setlsapwd.cc (setlsapwd): Simplify code.  Only try to call cygserver
diff --git a/winsup/cygwin/sec_auth.cc b/winsup/cygwin/sec_auth.cc
index f01abf912..0e2dde689 100644
--- a/winsup/cygwin/sec_auth.cc
+++ b/winsup/cygwin/sec_auth.cc
@@ -159,7 +159,12 @@ open_local_policy (ACCESS_MASK access)
 
   NTSTATUS ret = LsaOpenPolicy (NULL, &oa, access, &lsa);
   if (ret != STATUS_SUCCESS)
-    __seterrno_from_win_error (LsaNtStatusToWinError (ret));
+    {
+      __seterrno_from_win_error (LsaNtStatusToWinError (ret));
+      /* Some versions of Windows set the lsa handle to NULL when
+         LsaOpenPolicy fails. */
+      lsa = INVALID_HANDLE_VALUE;
+    }
   return lsa;
 }