User.impersonate now requires that the user be a valid user.

These tests weren't using a SecurityRealm that recognizes these user names