How to call CreateProcessAsUser with SSPI

I am using SSPI to perform single sign-on which works.

After successful single sign-on I get the user token as following:

 HANDLE tempHandle;
 if (!QuerySecurityContextToken(&tnS->hctxt, &tempHandle))
 {
   MyDbg("SSO: Could not obtain token for user");
 }
 if (!DuplicateTokenEx(tempHanle, MAXIMUM_ALLOWED, NULL, SecurityImpersonation, TokenPrimary, &tnS->htok))
{
  MyDbg("SSO: Could not duplicate token");
}

But later on when I use this token (tempHandle) in call to createProcessAsUser, the process creation failed with following error message:

Process has terminated prematurely: ExitCode = 0xC0000142 [{DLL Initialization Failed} Initialization of the dynamic link library %hs failed. The process is terminating abnormally.]

It seems that the token is lacking permissions. I have read that the QuerySecurityContextToken returns an impersonate token which lacks permissions while LogonUser returns a primary token. I cannot use LogonUser as I do not have the user password.

How do I get a Primary Token for user when using SSPI?

I can call createProcessAsUser using system account but it is not desired.