SharePoint 2013 – User identity pass-through delegation does not work with BCS and claims-mode authentication

In SharePoint 2010/2013 , user identity pass-through delegation will not work when a BCS External Content type (using a SQL Server Data source) is used in a web application with claims-based authentication (Windows authentication and Kerberos) configured.

The Setup for scenario mentioned above is the one described in "Scenario 9” at

When this Scenario is Configured , following message is still the message on a list based on the external content type for any user:

"Message from External System: Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'."

The same setup works perfectly in SharePoint Server 2010 and SharePoint Server 2013 when a web application is used that has Classic Mode / Windows Authentication / Kerberos configured.

Reason for this Behavior

The delegation related to BCS is described in the Scenario 9 of the white paper for Kerberos configuration (see the linked .doc file): . One of the Requirements for this to work is to Configure your web applications with classic Windows authentication using Kerberos authentication.

When we have A Web-app deployed in Claims mode on SharePoint 2010/2013, this will not work due to the Fact that BCS was never designed to leverage the Claims to Windows Token Service (C2WTS) and this is documented in the white paper.  You can find more information on Claims to Windows Token Service (C2WTS) here.

This C2WTS service is used when claims is used as authentication mode to transfer the user identity that needs pass-through from a claims identity to a windows identity.

What to Do then ?

The only true workaround in case of Claims Mode Web-app here is to use Secure Store Service (SSS) with a target application of type "Individual" that is able to pass-through the user's identity via credential mappings.

See the following articles for more information:

Plan the Secure Store Service in SharePoint Server 2013

Configure the Secure Store Service in SharePoint 2013

Please be aware of this unwanted side effect of using Secure Store Identity

In the case of user credentials change (like scheduled password changes) the user either needs to re-enter his credentials via the list view which displays the needed form or on the administrative side actions can be taken to update the credential mappings in the Secure Store Service target application used by the BCS external content type on a regular basis. 

Else a classic mode web application can be used, but by default in SharePoint Server 2013 through the UI administrators can only create claims mode web applications.

Additional Information

Plan for Kerberos authentication in SharePoint 2013

Identity delegation for Business Connectivity Services

POST BY : Praveen Hebbar [MSFT]

Comments (3)

  1. Badajoz says:

    Wondering if it is on the plan to be fixed?

  2. Fred B says:

    This is very disappointing. Why package BCS with SharePoint 2013 when it can't be used with kerberos on claims? Is BCS being deprecated like classic authentication? I really hope they fix this. I hate having to build and maintain a web service every time I need to access and update data on a SQL Server in an authenticated way that doesn't involve re-entering credentials. BCS is just there an inch away from working properly. Fix it please.

  3. SharePoint Developer Tutorials says:

    Information was good, I like your post.

    Looking forward for more on this topic.

    <a href="…/"> SharePoint Developer Tutorials</a>

Skip to main content