c2WTS could not provide a valid Windows Token. Reason: "Token cannot be zero"

Quick & dirty post as this error took me longer than it should’ve to get to solve. Claims to Windows Token Service – used to convert a claim login into a Windows login for those times you need to authenticate against a service that’s not claims aware.  Web-services, SQL Server, whatever it may be – you have code in wonderful claims land (SharePoint app code for example) that needs to talk to Windows authentication protected code; this service must be invoked to get there and can be somewhat troublesome to get right.

If you see this error, “c2WTS could not provide a valid Windows Token. Reason: "Token cannot be zero"” when trying to get a Windows token from a claim via the Claims to Windows Token Service (C2WTS) and you can’t work out why, it’s probably simply because your C2WTS service account doesn’t have local administrator permissions on the machine it’s running on.

When setting up C2WTS, this most useful tool can really help figure out what’s wrong. Here we see said error in said tool:

Add the service-account to the local administrators group…

…restart the Claims to Windows Token Service, er, service and you should be good to go.

Now we get a token just fine!

I hope this helps someone :)

// Sam Betts