Claims to Windows Token Service keeps entering disabled state

  • Article

On a recent project I was tasked with securing an ASP.NET MVC site using ADFS. There was also a requirement to flow the end-user identity down through the various tiers, necessitating the use of Kerberos Constrained Delegation (KCD). In order to achieve KCD, the SAML assertion returned from ADFS must first be converted to a WindowsIdentity instance, using the Claims to Windows Token Service (C2WTS).

This worked fine but I kept seeing an intermittent error in the MVC site stating:

“The pipe endpoint 'net.pipe://localhost/s4u/022694f3-9fbd-422b-b4b2-312e25dae2a2' could not be found on your local machine.”

I tracked this down to the C2WTS service which was shutting down, with the following informational message written to the System event log:

“The Claims to Windows Token Service service entered the stopped state.”

and:

“The start type of the Claims to Windows Token Service service was changed from auto start to disabled.”

Note, there were no obviously related error messages, just these two statements.

I looked around the event logs and found this for the same timestamp:

“The SharePoint Health Analyzer found and fixed the following problem: One or more services have started or stopped unexpectedly.”

Sorry, I probably hadn’t mentioned until now that SharePoint 2010 was installed Smile … anyway, it appeared that SharePoint was ‘fixing’ a problem for me. This kept me on the path of thinking that there was something wrong with the C2WTS service itself.

However, it transpired that SharePoint was in fact disabling the service because SharePoint configuration dictated that the service be stopped. When monitoring showed this not to be the case (because I re-enabled it), SharePoint would shut the service down again!

Therefore, the ‘Central Administration – Services on Server’ page within SharePoint that describes the state of services that SharePoint is dependent on not only describes the current state of the service but also the state that SharePoint would like it to be in.

I therefore changed the expected state of the C2WTS service to started within SharePoint, and SharePoint duly started it up.

Finally, there was one more curveball thrown at me. When SharePoint started the service it also modified the C2WTS configuration file so that ONLY users of the WSS_WPG group could use it. As the MVC site in question was entirely separate from SharePoint, the C2WTS call still failed.

I therefore had to modify the C2WTS configuration file located at ‘C:\Program Files\Windows Identity Foundation\v3.5\c2wtshost.exe.config’ so that the <allowedCallers> element went from:

 <allowedCallers>
    <clear />
    <add value="WSS_WPG" />
</allowedCallers>

to:

 <allowedCallers>
    <clear />
    <!--<add value="NT AUTHORITY\Network Service" /> 
    <add value="NT AUTHORITY\Local Service" /> 
    <add value="NT AUTHORITY\System" />--> 
    <add value="NT AUTHORITY\Authenticated Users" />
</allowedCallers>

Hope this helps.

Brad