To start with, normally you are sandboxed inside the database when you use EXECUTE AS USER, and you cannot access things outside the database. This include linked servers, since they are server objects.
Now, you say that you can actually access the linked server and you also say "same host server". This indicates that the database is marked as trustworthy and the database owner holds the permission AUTHENTICATE SERVER. Which will be the case if the owner is sa
.
Beware that this is potentially a security issue. It is OK if anyone who has elevated permission in the database already is sysadmin
. But if there is a user who is member of db_owner
and who should have no business on server level, this user can exploit this situation to sysadmin
.
As for the linked server, yes, that would be difficult. It would be better if users used EXECUTE AS LOGIN instead. (I assume that they don't run this command directly, but there is an application that issues the command.) That would permit you to set up an explicit login mapping, and it would remove the need for having the database marked as trustworthy.