Troubleshooting Claims to Windows NT Token Service (c2WTS) in SharePoint 2010 may be difficult if you don’t know where to start


I have been writing some blogs entries (and even a Microsoft KB) about c2WTS, but the subject never exhausts. I was helping two different customers to troubleshoot issues with SharePoint Excel Services. In one of the cases the problem happened randomly and the error message was saying that the request to the external data (SQL) had failed because the request did not include a valid Kerberos header, but no reference to c2WTS in the ULS logs.

The other case was that some users could access Excel Services while others could not, this time there was an error in ULS logs pointing to access denied in c2WTS. Without explaining the internals of these two cases, one can say that in both cases c2WTS was working as expected but some other factor was impairing its use with SharePoint.

Before pointing at c2WTS as culprit of some SharePoint access error, look for these three tags in the ULS logs: g8g7, fvx8 or bz7l in Claims Authentication category (Medium).

This ULS entry would look like this:

07/14/2011 14:33:34.03 w3wp.exe (0x1144)0x1960 SharePoint Foundation Claims Authentication bz7l Medium
SPSecurityContext.WindowsIdentity: Could not retrieve a valid windows identity for NTName=’CONTOSO\jdoed’, UPN=’jdoed@contoso.com’. UPN is required when Kerberos constrained delegation is used. Exception: System.ServiceModel.Security.SecurityAccessDeniedException: Access is denied.    Server stack trace:    
at System.ServiceModel.Channels.ServiceChannel.ThrowIfFaultUnderstood(Message reply, MessageFault fault, String action, MessageVersion version, FaultConverter faultConverter)   
at System.ServiceModel.Channels.ServiceChannel.HandleReply(ProxyOperationRuntime operation, ProxyRpc& rpc)   
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)   
at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)   
at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)    Exception rethrown
at [0]:    
at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)   
at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)   
at Microsoft.IdentityModel.WindowsTokenService.S4UClient.IS4UService_dup.UpnLogon(String upn, Int32 pid)   
at Microsoft.IdentityModel.WindowsTokenService.S4UClient.<>c__DisplayClass1.<UpnLogon>b__0(IS4UService_dup channel)   
at Microsoft.IdentityModel.WindowsTokenService.S4UClient.CallService(Func`2 contractOperation)   
at Microsoft.SharePoint.SPSecurityContext.GetWindowsIdentity().

SharePoint uses c2WTS to transform a claim identity into a valid Windows Identity Token. You cannot (for now) send a request to SQL Server or other data sources passing the claim. So, for internal users in Active Directory the claim will be mapped to a Windows Identity Token and that token will be used to access the resource. Since c2WTS only requires the UPN to generate a token, by default no one can access the service. To allow access you have to edit the .config file to add the groups and users to the allowed callers section.

SharePoint installs c2WTS as part of its pre-requisites as c2WTS is actually part of Windows Identity Foundation SDK. The configuration happens when you add the correspondent service in the farm. If everything is alright the service will be configured to start automatically (read my previous post on dependencies) under SYSTEM\NT AUTHORITY and will add the SharePoint local group WSS_WPG to the list of allowed groups in c2WTS. When adding SharePoint Excel Services, the domain account provided needs to be able to create Windows tokens in the c2WTS machine (the service only works with local requests) and it will be added automatically to WSS_WPG by SharePoint (you don’t have to do this). All this actions are necessary since once accessing the service you can impersonate a user by simply supplying the UPN claim. The input is the UPN string. The return is the (limited) Windows Token or an error.

Testing c2WTS configuration is not possible without some code. You have to be logged (or impersonating) an account that has rights to c2WTS. I suggest the account you used for Excel Services. To test using the same method that SharePoint does, you only need to call this static class in c2WTS:

WindowsIdentity wi = S4UClient.UpnLogon("rviana@contoso.com");

 

This static method will use WCF net.pipe (only local) to communicate with the real c2WTS service (I blogged about net.pipe and real pipes in a previous post). The full test of the complete configuration is a bit more complex. I have put together a sample application to perform all tests I could remember. The App looks like:

 

 

image

 

Quick Instructions:

Start the Application as Administrator. If you want to impersonate Excel Account, change “User Login” to enable the Password field. By default the user will be the account running the application. If you want to continue with the interactive user, you will not need to enter password. For UPN you can enter any valid UPN claim (normally user@domain), if you want to test your own account you can choose to get UPN from logged user. If you want to impersonate another user or test if the current user can obtain tokens, please enter the UPN manually.

Full Result:

Testing Service c2WTS
+- Service c2WTS found
+- Service c2WTS is running
+- Path of service: C:\Program Files\Windows Identity Foundation\v3.5\c2wtshost.exe
+- Config File: C:\Program Files\Windows Identity Foundation\v3.5\c2wtshost.exe.config
+- Service Logon: SYSTEM\NT AUTHORITY
—– start of config file —-
<?xml version="1.0"?>
<configuration>
  <configSections>
    <section name="windowsTokenService" type="Microsoft.IdentityModel.WindowsTokenService.Configuration.WindowsTokenServiceSection, Microsoft.IdentityModel.WindowsTokenService, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
  </configSections>
  <startup>
    <supportedRuntime version="v4.0" />
    <supportedRuntime version="v2.0.50727" />
  </startup>
  <windowsTokenService>
    <!–
        By default no callers are allowed to use the Windows Identity Foundation Claims To NT Token Service.
        Add the identities you wish to allow below.
      –>
    <allowedCallers>
      <clear />
      <add value="WSS_WPG" />
    </allowedCallers>
  </windowsTokenService>
</configuration>
—–  end of config file  —-
Retrieving security groups/users allowed to use the service from config file
+- WSS_WPG
Trying to login ………
Using current Windows Credentials
c2WTS Service provided a valid Windows Token for: CONTOSO\cpajaro
Now Verifying if user CONTOSO\rviana has rights on c2WTS
+- User CONTOSO\rviana has access rights per group/user WSS_WPG. Other groups will not be checked
*** Analysis Complete ***

 

You can download source and EXE here:

http://rodneyviana.codeplex.com/releases/view/19103

 

Please notice that since this is supposed to mimic SharePoint 2010, the App is 64-bits. Also be aware this application is provided “AS IS” with no guarantees. You need to accept the license to use it.


Comments (36)

  1. feemurk says:

    How do you diagnose failures to call the service?  My user .administrator is a member of WSS_WPG and has local policy settings to act as part of the operating system and impersonate users.  I still get an access denied on the c2WTS service.

    can you point me in the right direction on where i can go to find out more about how to get past this?

    Thank you!

    Testing Service c2WTS

    +- Service c2WTS found

    +- Service c2WTS is running

    +- Path of service: C:Program FilesWindows Identity Foundationv3.5c2wtshost.exe

    +- Config File: C:Program FilesWindows Identity Foundationv3.5c2wtshost.exe.config

    +- Service Logon: SYSTEMNT AUTHORITY

    —– start of config file —-

    <?xml version="1.0"?>

    <configuration>

     <configSections>

       <section name="windowsTokenService" type="Microsoft.IdentityModel.WindowsTokenService.Configuration.WindowsTokenServiceSection, Microsoft.IdentityModel.WindowsTokenService, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />

     </configSections>

     <startup>

       <supportedRuntime version="v4.0" />

       <supportedRuntime version="v2.0.50727" />

     </startup>

     <windowsTokenService>

       <!–

           By default no callers are allowed to use the Windows Identity Foundation Claims To NT Token Service.

           Add the identities you wish to allow below.

         –>

       <allowedCallers>

         <clear />

         <add value="WSS_WPG" />

       </allowedCallers>

     </windowsTokenService>

    </configuration>

    —–  end of config file  —-

    Retrieving security groups/users allowed to use the service from config file

    +- WSS_WPG

    Trying to login ………

    Using current Windows Credentials

    ***** c2WTS could not provide a valid Windows Token. Reason: Access is denied.

    Server stack trace:

      at System.ServiceModel.Channels.ServiceChannel.ThrowIfFaultUnderstood(Message reply, MessageFault fault, String action, MessageVersion version, FaultConverter faultConverter)

      at System.ServiceModel.Channels.ServiceChannel.HandleReply(ProxyOperationRuntime operation, ProxyRpc& rpc)

      at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)

      at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)

      at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

    Exception rethrown at [0]:

      at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)

      at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)

      at Microsoft.IdentityModel.WindowsTokenService.S4UClient.IS4UService_dup.UpnLogon(String upn, Int32 pid)

      at Microsoft.IdentityModel.WindowsTokenService.S4UClient.<>c__DisplayClass1.<UpnLogon>b__0(IS4UService_dup channel)

      at Microsoft.IdentityModel.WindowsTokenService.S4UClient.CallService(Func`2 contractOperation)

      at c2WTSTest.Form1.button2_Click(Object sender, EventArgs e)

    Now Verifying if user MYWORKLAPTOPAdministrator has rights on c2WTS

    +- User MYWORKLAPTOPAdministrator has access rights per group/user WSS_WPG. Other groups will not be checked

    *** Analysis Complete ***

  2. Hi feemurk,

    You need an AD user from the same domain you want to resolve the UPN and acquire the Windows token. A local user will not do the trick.

    See:

    blogs.msdn.com/…/step-by-step-configuration-of-excel-calculation-services-ecs-when-using-kerberos.aspx

    and:

    msdn.microsoft.com/…/cc949014.aspx

    Let me know if I answered your question.

  3. Dmytro Andriychenko says:

    Dear Rodney,

    Any ideas why c2wts may be tempremental? For me it works for a few minutes after restart and then gets tired, fed up and packs in completely: stop resolving UPNs into valid tockens displaying the error message in your blog. Almost after every restart the behaviour repeats. Any ideas at all will be very much appreciated!

    Thank you,

    Kindest regards,

    Dmytro

    dmytro.andriychenko@sage.com

  4. Dmytro Andriychenko says:

    Dear Rodney,

    Any ideas why c2wts may be tempremental? For me it works for a few minutes after restart and then gets tired, fed up and packs in completely: stop resolving UPNs into valid tockens displaying the error message in your blog. Almost after every restart the behaviour repeats. Any ideas at all will be very much appreciated!

    Thank you,

    Kindest regards,

    Dmytro

    Dmytro.Andriychenko@sage.com

  5. Hi Dmytro,

    If you let me know more details about the problem I might be able to give you some ideas. Is it happening in the same server all the time? Are you using any customization? How are you using c2WTS with SharePoint? Do you have the same application pool identity across all servers? Is it failing when resolving the same UPN?

    What is the stack you are seeing in the ULS logs?

    Thanks,

    Rodney

  6. Thank you ever so much for getting back to me.

    I have a single Sharepoint Application Server, so it is only that one I have ever tested it on. I never tried to test it on any other servers as I did not see the point – happy to do it if it may shed some light on the problem.

    The c2wts is running under an AD user (ADOMAINSA_BI_c2wts) identity with Constraint Kerberos Delegation enabled and "Trusted to Authenticate for Delegation User Access Control" bit set.

    This is the output of your program for the c2wts account trying to resolve my own UPN into a valid tocken (I have removed most of the content of the config file to fit within the post):

    Testing Service c2WTS

    +- Service c2WTS found

    +- Service c2WTS is running

    +- Path of service: C:Program FilesWindows Identity Foundationv3.5c2wtshost.exe

    +- Config File: C:Program FilesWindows Identity Foundationv3.5c2wtshost.exe.config

    +- Service Logon: SA_BI_c2wtsADOMAIN

    *** Service MUST BE 'SYSTEMNT AUTHORITY' ***

    —– start of config file —-

     <allowedCallers>

         <add value="WSS_WPG" />

       </allowedCallers>

    —–  end of config file  —-

    Retrieving security groups/users allowed to use the service from config file

    +- WSS_WPG

    Trying to login ………

    Using provided credentials to login

    ***** c2WTS could not provide a valid Windows Token. Reason: Access is denied.

    Server stack trace:

      at System.ServiceModel.Channels.ServiceChannel.ThrowIfFaultUnderstood(Message reply, MessageFault fault, String action, MessageVersion version, FaultConverter faultConverter)

      at System.ServiceModel.Channels.ServiceChannel.HandleReply(ProxyOperationRuntime operation, ProxyRpc& rpc)

      at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)

      at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)

      at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

    Exception rethrown at [0]:

      at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)

      at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)

      at Microsoft.IdentityModel.WindowsTokenService.S4UClient.IS4UService_dup.UpnLogon(String upn, Int32 pid)

      at Microsoft.IdentityModel.WindowsTokenService.S4UClient.<>c__DisplayClass1.<UpnLogon>b__0(IS4UService_dup channel)

      at Microsoft.IdentityModel.WindowsTokenService.S4UClient.CallService(Func`2 contractOperation)

      at c2WTSTest.Form1.button2_Click(Object sender, EventArgs e)

    Now Verifying if user ADOMAINSA_BI_c2wts has rights on c2WTS

    +- User ADOMAINSA_BI_c2wts has access rights per group/user WSS_WPG. Other groups will not be checked

    *** Analysis Complete ***

  7. Hi again, the post seems to be limited to 3kb, so I split the message.

    Sorry I am not quite sure I understand the question of how c2WTS is used within SarePoint – just normal out of the box use to enable delegated authentication for services requiring protocal transition (Excel Services, PowerView agains remote tabular instance, etc).

    Application pool identity is different from C2WTS service identity, but it is teh same for both App server and Web server.

    When the service works, it works for any valid UPN. When it stops working, it also stops working for all of them: this one was easy to test using your absolutely fantastic little app.

    I will post the ULS stack in the next message

  8. This is the error message displayed by PowerView when trying to acccess a tabular instance (most informative part of it):

    Cannot impersonate user for data source 'EntityDataSource'.

    <Message msrs:ErrorCode="rsClaimsToWindowsTokenError" msrs:HelpLink="go.microsoft.com/fwlink xmlns:msrs="http://www.microsoft.com/…/reportingservices">Cannot convert claims identity to windows token.</Message>

  9. This is the ULS entry for the same error in PowerView (similar messages can be seen for ExcelServices Authentication, when they fail, they fail together for the same reason):

    12/06/2012 12:30:14.58 w3wp.exe (0x0AA4)                       0x1850 SharePoint Foundation         Claims Authentication         bz7l Medium  

    SPSecurityContext.WindowsIdentity: Could not retrieve a valid windows identity for NTName='ADOMAINName.Surname', UPN='Name.Surname@ADOMAIN.COM'. UPN is required when Kerberos constrained delegation is used. Exception: System.ServiceModel.Security.SecurityAccessDeniedException: Access is denied.    Server stack trace:      at System.ServiceModel.Channels.ServiceChannel.ThrowIfFaultUnderstood(Message reply, MessageFault fault, String action, MessageVersion version, FaultConverter faultConverter)     at System.ServiceModel.Channels.ServiceChannel.HandleReply(ProxyOperationRuntime operation, ProxyRpc& rpc)     at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)     at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMesage methodCall, ProxyOperationRuntime operation)     at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)    Exception rethrown at [0]:      at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)     at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)     at Microsoft.IdentityModel.WindowsTokenService.S4UClient.IS4UService_dup.UpnLogon(String upn, Int32 pid)     at Microsoft.IdentityModel.WindowsTokenService.S4UClient.<>c__DisplayClass1.<UpnLogon>b__0(IS4UService_dup channel)     at Microsoft.IdentityModel.WindowsTokenService.S4UClient.CallService(Func`2 contractOperation)     at Microsoft.SharePoint.SPSecu… c3bc654f-f80b-4670-8a81-c4e2709843f3rityContext.GetWindowsIdentity().; c3bc654f-f80b-4670-8a81-c4e2709843f3

  10. This is the next entry in the log:

    12/06/2012 12:30:14.58 w3wp.exe (0x0AA4)                       0x1850 SQL Server Reporting Services Report Server Web Server       0000 Unexpected

    Throwing Microsoft.ReportingServices.Diagnostics.Utilities.ClaimsToWindowsTokenException: , Microsoft.ReportingServices.Diagnostics.Utilities.ClaimsToWindowsTokenException: Cannot convert claims identity to windows token. —> System.InvalidOperationException: Could not retrieve a valid Windows identity. —> System.ServiceModel.Security.SecurityAccessDeniedException: Access is denied.    Server stack trace:      at System.ServiceModel.Channels.ServiceChannel.ThrowIfFaultUnderstood(Message reply, MessageFault fault, String action, MessageVersion version, FaultConverter faultConverter)     at System.ServiceModel.Channels.ServiceChannel.HandleReply(ProxyOperationRuntime operation, ProxyRpc& rpc)     at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOpera… tionRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)     at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)     at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)    Exception rethrown at [0]:      at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)     at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)     at Microsoft.IdentityModel.WindowsTokenService.S4UClient.IS4UService_dup.UpnLogon(String upn, Int32 pid)     at Microsoft.IdentityModel.WindowsTokenService.S4UClient.<>c__DisplayClass1.<UpnLogon>b__0(IS4UService_dup channel)     at Microsoft.IdentityModel.WindowsTokenService.S4UClient.CallService(Func`2 contractOperation)     at Microsoft.SharePoint.SPSecurityContext.GetWindowsIdentity()     — End of inner exception stack trace —     at Microsoft.SharePoint.SPSecurityContext.GetWindowsIdentity()     at Microsoft.ReportingServices.ServiceRuntime.WcfUserContext.GetWindowsIdentity()     — End of inner exception stack trace —; c3bc654f-f80b-4670-8a81-c4e2709843f3

  11. And the next one is this:

    12/06/2012 12:30:14.58 w3wp.exe (0x0AA4)                       0x1850 SQL Server Reporting Services Report Server Processing       0000 Unexpected

    Throwing Microsoft.ReportingServices.ReportProcessing.ReportProcessingException: , Microsoft.ReportingServices.ReportProcessing.ReportProcessingException: Cannot impersonate user for data source 'EntityDataSource'. —> Microsoft.ReportingServices.Diagnostics.Utilities.ClaimsToWindowsTokenException: Cannot convert claims identity to windows token. —> System.InvalidOperationException: Could not retrieve a valid Windows identity. —> System.ServiceModel.Security.SecurityAccessDeniedException: Access is denied.    Server stack trace:      at System.ServiceModel.Channels.ServiceChannel.ThrowIfFaultUnderstood(Message reply, MessageFault fault, String action, MessageVersion version, FaultConverter faultConverter)     at System.ServiceModel.Channels.ServiceChannel.HandleReply(ProxyOperationRuntime operation, ProxyRpc& rpc)     at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)     at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)     at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)    Exception rethrown at [0]:      at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)     at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)     at Microsoft.IdentityModel.WindowsTokenService.S4UClient.IS4UService_dup.UpnLogon(String upn, Int32 pid)     at Microsoft.IdentityModel.WindowsTokenService.S4UClient.<>c__DisplayClass1.<UpnLogon>b__0(IS4UService_dup channel)     at Microsoft.IdentityModel.WindowsTokenService.S4UClient.CallService(Func`2 contractOperation)     at Microsoft.SharePoint.SPSecurityContext.GetWindowsIdentity()     — End of inner exception stack trace —     at Microsoft.SharePoint.SPSecurityContext.GetWindowsIdentity()     at Microsoft.ReportingServices.ServiceRuntime.WcfUserContext.GetWindowsIdentity()     — End of inner exception stack trace —     at Microsoft.ReportingServices.ServiceRuntime.WcfUserContext.GetWindowsIdentity()     at Microsoft.ReportingServices.Diagnostics.ImpersonationContext..ctor(UserContext userContext)     at Microsoft.ReportingServices.Diagnostics.DataExtensionConnectionBase.HandleImpersonation(IProcessingDataSource dataSource, DataSourceInfo dataSourceInfo, String datasetName, IDbConnection connection, Action afterImpersonationAction)     — End of inner exception stack trace —; c3bc654f-f80b-4670-8a81-c4e2709843f3

  12. I have replaced the actual user with Name.Surname and domain name with ADOMAIN throughout.

  13. Please let me know if I can provide any more information on the matter.

    Just to add context, this domain was previously running with 2003 DC running at 2000 mixed mode functional level. Then the functional level was increased to 2003, new 2008 R2 DC  was added, synched up with the old DC and then brought to 2008 R2 functional level. After that the old DC was ditched and the new took the IP and the name of the old one.

    I canot tell you if we had the same problem with c2wts throughout this journey, only that we have them now.

    I have followed links on your blog and made sure the Read permission in AD Security settings are set for the users involved for all Authenticated Users, but that did not seem to change anything.

    Any Ideas to try will be very much appreciated, I am a bit stuck, to be honest, not even sure where to keep looking…

    Thank you very much in advance,

    D

  14. Could not really resolve the problem, instead changed the identity of c2wts service back to Local System and reconfigured delegation for the  application server to enable delegation to all the right places. Once there, everything worked a charm. Thanks to Christopher Scolt http://www.scolts.com/?p=56 for a tip on how to reset c2wts identity within SharePoint back to Local System.  Please note, you will then have to actually change the service identity in services.msc and restart c2wts.

  15. Monish says:

    Hello Rodney

    Your utility gave following information:

    Testing Service c2WTS

    +- Service c2WTS found

    +- Service c2WTS is running

    +- Path of service: C:Program FilesWindows Identity Foundationv3.5c2wtshost.exe

    +- Config File: C:Program FilesWindows Identity Foundationv3.5c2wtshost.exe.config

    +- Service Logon: SYSTEMNT AUTHORITY

    —– start of config file —-

    <?xml version="1.0"?>

    <configuration>

     <configSections>

       <section name="windowsTokenService" type="Microsoft.IdentityModel.WindowsTokenService.Configuration.WindowsTokenServiceSection, Microsoft.IdentityModel.WindowsTokenService, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />

     </configSections>

     <startup>

       <supportedRuntime version="v4.0" />

       <supportedRuntime version="v2.0.50727" />

     </startup>

     <windowsTokenService>

       <!–

           By default no callers are allowed to use the Windows Identity Foundation Claims To NT Token Service.

           Add the identities you wish to allow below.

         –>

       <allowedCallers>

         <clear />

         <add value="WSS_WPG" />

       </allowedCallers>

     </windowsTokenService>

    </configuration>

    —–  end of config file  —-

    Retrieving security groups/users allowed to use the service from config file

    +- WSS_WPG

    Trying to login ………

    Using current Windows Credentials

    ***** c2WTS could not provide a valid Windows Token. Reason: WTS0003: The caller is not authorized to access the service.

    Server stack trace:

      at System.ServiceModel.Channels.ServiceChannel.ThrowIfFaultUnderstood(Message reply, MessageFault fault, String action, MessageVersion version, FaultConverter faultConverter)

      at System.ServiceModel.Channels.ServiceChannel.HandleReply(ProxyOperationRuntime operation, ProxyRpc& rpc)

      at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)

      at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)

      at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

    Exception rethrown at [0]:

      at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)

      at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)

      at Microsoft.IdentityModel.WindowsTokenService.S4UClient.IS4UService_dup.UpnLogon(String upn, Int32 pid)

      at Microsoft.IdentityModel.WindowsTokenService.S4UClient.<>c__DisplayClass1.<UpnLogon>b__0(IS4UService_dup channel)

      at Microsoft.IdentityModel.WindowsTokenService.S4UClient.CallService(Func`2 contractOperation)

      at c2WTSTest.Form1.button2_Click(Object sender, EventArgs e)

    Now Verifying if user DOMAIN/monish has rights on c2WTS

    +- User  DOMAIN/monish has no access to the service

    *** Analysis Complete ***

    I also see that my domain account DOMAIN/monish was not added in WSS_WPG group. What do i need to do to resolve this?

    Thanks

  16. Monish says:

    continued with previous comment:

    Here is the stack trace:

    01/02/2013 11:00:34.17 w3wp.exe (0x0828) 0x2AEC SharePoint Foundation Claims Authentication bz7l Medium

    SPSecurityContext: Could not retrieve a valid windows identity for username 'DOMAINmonish' with UPN 'monishg@microsoft.com'.

    UPN is required when Kerberos constrained delegation is used. Exception: System.ServiceModel.EndpointNotFoundException: The message could not be dispatched because the service at the endpoint address 'net.pipe://localhost/s4u/022694f3-9fbd-422b-b4b2-312e25dae2a2' is unavailable for the protocol of the address.    Server stack trace:      at System.ServiceModel.Channels.ConnectionUpgradeHelper.DecodeFramingFault(ClientFramingDecoder decoder, IConnection connection, Uri via, String contentType, TimeoutHelper& timeoutHelper)     at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.SendPreamble(IConnection connection, ArraySegment`1 preamble, TimeoutHelper& timeoutHelper)     at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.DuplexConnectionPoolHelper.AcceptPooledConnection(IConnection connection, TimeoutHelper& timeoutHelper)     at System.ServiceModel.Channels.ConnectionPoolHelper.EstablishConnection(TimeSpan timeout)     at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.OnOpen(TimeSpan timeout)     at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)     at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)     at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)     at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade)     at System.ServiceModel.Channels.ServiceChannel.EnsureOpened(TimeSpan timeout)     at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)     at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)     at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)    Exception rethrown at [0]:      at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)     at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)     at Microsoft.IdentityModel.WindowsTokenService.S4UClient.IS4UService_dup.UpnLogon(String upn, Int32 pid)     at Microsoft.IdentityModel.WindowsTokenService.S4UClient.CallService(Func`2 contractOperation)     at Microsoft.SharePoint.SPSecurityContext.GetWindowsIdentity(). a1bef09b-025a-208e-cd5e-4ef6678b6d0d

  17. monish,

    the service is not running in this machine. look for my post on c2wts dependencies.

  18. Monish says:

    Thanks Rodney for the reply.

    But I checked server manager, it shows c2wts is started.

  19. Monish says:

    [adding more detail]

    Thanks Rodney for reply.

    I checked 'Server manager' and verified that c2wts and Cryptographic services both are already running/started.

  20. HI Rodney, Thanks for the post. I used the app to check if another user has rights. I gave his user id, UPN and his password. But got an error " Token cannot be zero"  , while i was the logged in user to the server. What may be wrong? Both of us are part of different domains.

  21. Even though this is the PowerPivot and Excel Services blog, I felt that adding a blog on this common

  22. Even though this is the PowerPivot and Excel Services blog, I felt that adding a blog on this common

  23. Jason Dunbar says:

    Superb write up of a complex problem.

    Thank you very much.

  24. Marcel says:

    It is unclear to me whether  'Claims to Windows Token Service' can run under 'Local System' or whether it needs to be a different AD Account. We get this error in psiGen Migrate step after converting SP 2010 to Claims Based Authentication.

    SPSecurityContext.WindowsIdentity: Could not retrieve a valid windows identity for NTName='MYDOMAINMyuser', UPN='myuser@mydomian.com'. UPN is required when Kerberos constrained delegation is used. Exception: System.ServiceModel.FaultException`1[System.ServiceModel.ExceptionDetail]: WTS0003: The caller is not authorized to access the service. (Fault Detail is equal to An ExceptionDetail, likely created by IncludeExceptionDetailInFaults=true, whose value is: System.UnauthorizedAccessException: WTS0003: The caller is not authorized to access the service.

  25. Matz says:

    When running the C2WTS service as a domain account, make sure it is present in the local administrator group on the application server or the servers that makes delegation (from Excel Services, Reporting Services etc.).

    Add the account to the group and restart the service in Service Manager.

    Resolved the error on a farm that I am administrator.

  26. Roman says:

    Thank you! This article  helped me!

  27. Danny says:

    What kind of rights does a user need to have to executte this tool? I get

    ***** c2WTS could not provide a valid Windows Token. Reason: Access is denied.

    +- User ***** has access rights per group/user WSS_WPG. Other groups will not be checked

    When I run this tool as the farm account it works

  28. Hi Danny,

    The user running c2WTS service may not have the appropriate rights. Look at this KB:

    support.microsoft.com/…/2722087

    Item 4 in special.

  29. Danny says:

    Hi Rodney,

    That article describes kerberos but my webapplication uses NTLM. So that doesn't apply I think.

    On another dev server in a different farm where I log in as a domain admin it does work.

    Also another strange thing on the dev server that works.I have user danny@spdev.local with login name spdevdanny. In AD i see the UPN danny@spdev.local. With the tool I can test and it works. When I remove the UPN from the account the tool still finds this user with upn danny@spdev or danny@spdev.local how is this possible? When I check with for example ADExplorer I see that the account danny no longer has a upn

  30. Danny says:

    The account that the c2wts service runs under has correct permissions according to the article (item 4). It seems that the account that starts the tool is missing some permissions. Any idea?

  31. Hi Danny,

    There are some assumptions when it comes to upn: user@<domain-short> and user@<domain-full>. NTLM does not work with delegation.

    If you followed the KB and still experience problems you may be running into a different issue which may be unrelated to c2WTS. See this post: blogs.msdn.com/…/verifying-whether-the-broken-piece-is-c2wts-or-active-directory.aspx

  32. Danny says:

    Hi Rodney,

    I am going to try your other test tool as all rights seem to be ok. The users that is starting the C2WTS tool doesn't need any special rights?

    The question about the UPN: When I use the tool ADExplorer I see that a UPN for a specific user is empty. But when running the C2WTS tester I can find that user on UPN. Is this normal?

  33. Hi Rodney,

    I have SharePoint 2013, SQL Server 2012 SP1, SSRS on SharePoint Mode and PowerPivot add-in.

    I am facing the issue with Power View when "PowerView" icon is clicked.I followed some of the instruction in the forum but still the problem is at large.

    1. The C2WTS Windows service and C2WTS SharePoint service are both running

    2. Checked the SQL Server Browser service is running on the machine that has the PowerPivot instance of SSAS.

    3. I have Claims Based Authentication on my farm.

    Error code is as given below though it remain the same.Appreciate any help to fix the issue..

    Regards

    Sakti

    <Message xmlns="http://www.microsoft.com/…/reportingservices">An error occurred while loading the model for the item or data source 'abcd.abcd.com/…/QA-SSAS.xlsx&. Verify that the connection information is correct and that you have permissions to access the data source.

    mlns:msrs="http://www.microsoft.com/…/reportingservices">An error occurred while loading the model for the item or data source 'abcd.abcd.com/…/QA-SSAS.xlsx&. Verify that the connection information is correct and that you have permissions to access the datasource.</Message>

    "xmlns:msrs="http://www.microsoft.com/…/reportingservices">Cannot create a connection to datasource 'TemporaryDataSource'.<Message>Call to Excel Services returned an error.We're sorry. We ran into a problem completing your request.<Message>We're sorry. We ran into a problem completing your request.</Message>

  34. I installed and ran the utility – Excellent! Some users work fine, others get “c2WTS could not provide a valid Windows Token. Reason: Access is denied.” So, if it isn’t c2WTS, then what is it? Permissions on AD? What do I need to change?

    here is the error message:

    Testing Service c2WTS
    +- Service c2WTS found
    +- Service c2WTS is running
    +- Path of service: C:\Program Files\Windows Identity Foundation\v3.5\c2wtshost.exe
    +- Config File: C:\Program Files\Windows Identity Foundation\v3.5\c2wtshost.exe.config
    +- Service Logon: _SPAdminDev\XYZ
    *** Service MUST BE ‘SYSTEM\NT AUTHORITY’ ***
    —– start of config file —-

    —– end of config file —-
    Retrieving security groups/users allowed to use the service from config file
    +- WSS_WPG
    Trying to login ………
    Using provided credentials to login
    ***** c2WTS could not provide a valid Windows Token. Reason: Access is denied.

    Server stack trace:
    at System.ServiceModel.Channels.ServiceChannel.ThrowIfFaultUnderstood(Message reply, MessageFault fault, String action, MessageVersion version, FaultConverter faultConverter)
    at System.ServiceModel.Channels.ServiceChannel.HandleReply(ProxyOperationRuntime operation, ProxyRpc& rpc)
    at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
    at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
    at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

    Exception rethrown at [0]:
    at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
    at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
    at Microsoft.IdentityModel.WindowsTokenService.S4UClient.IS4UService_dup.UpnLogon(String upn, Int32 pid)
    at Microsoft.IdentityModel.WindowsTokenService.S4UClient.c__DisplayClass1.b__0(IS4UService_dup channel)
    at Microsoft.IdentityModel.WindowsTokenService.S4UClient.CallService(Func`2 contractOperation)
    at c2WTSTest.Form1.button2_Click(Object sender, EventArgs e)

    Now Verifying if user XYZ\_SPAdminDev has rights on c2WTS
    +- User XYZ\_SPAdminDev has access rights per group/user WSS_WPG. Other groups will not be checked
    *** Analysis Complete ***

    1. Check this other post: https://blogs.msdn.microsoft.com/rodneyviana/2014/03/21/verifying-whether-the-broken-piece-is-c2wts-or-active-directory/

      Run the application from the post as XYZ\_SPAdminDev and see if it can resolve the upn. If not it is AD related and the error will be more specific.

  35. My issue is client machine specific. A user is able to login to Dynamics AX Enterprise portal from “other machines” but receives the claims issues from his own machine. Any thing machine specific in this whole process ? Cant figure it out how to resolve issue at some user’s machines. Any help would be highly appreciated.