If there are stacked impersonations with EXECUTE AS (either as a statement or through the module header), you can only retrieve the current with SYSTEM_USER & co and the original with original_login(). But none of these may be relevant. Consider the case that the middle-tier authenticates the real user, then connects to SQL Server with a proxy login to execute an EXECUTE AS on behalf of the real user (who is a database-only user). Then for some reason there is a module which has EXECUTE AS in the header. Now, we cannot retrieve the original user.