diff --git a/plugins/sudoers/auth/pam.c b/plugins/sudoers/auth/pam.c
index 0de9af212..aa5cf0736 100644
--- a/plugins/sudoers/auth/pam.c
+++ b/plugins/sudoers/auth/pam.c
@@ -271,14 +271,15 @@ sudo_pam_end_session(struct passwd *pw, sudo_auth *auth)
     debug_decl(sudo_pam_end_session, SUDO_DEBUG_AUTH)
 
     if (pamh != NULL) {
-#ifndef NO_PAM_SESSION
 	/*
 	 * Update PAM_USER to reference the user we are running the command
-	 * as to match the call to pam_open_session().
+	 * as, as opposed to the user we authenticated as.
 	 */
 	(void) pam_set_item(pamh, PAM_USER, pw->pw_name);
+#ifndef NO_PAM_SESSION
 	(void) pam_close_session(pamh, PAM_SILENT);
 #endif
+	(void) pam_setcred(pamh, PAM_DELETE_CRED);
 	status = pam_end(pamh, PAM_SUCCESS | PAM_DATA_SILENT);
 	pamh = NULL;
     }