Testing the Claims To Windows Token Service for different identities

Star InactiveStar InactiveStar InactiveStar InactiveStar Inactive
 

As noted in a previous blog post on debugging “The data connection uses windows authentication and user credentials could not be delegated” there are times (very rare times) when the issue is a problem with your Active Directory configuration. I want to reiterate that this is rare and it is usually something as simple as the c2wts service is not running. However, we have now seen two cases of “mis-configured” Active Directories which have led to this problem. It can manifest itself as either you always get this error or you get this error for all users except a couple. To test and see if it is a problem with your Active Directory settings, I am including some code for you to compile and run. At a very low level in Excel Calculation Services, they take the User Principal Name of the interactive user and attempt to convert it to a WindowsIdentity token using c2wts. The code below attempts to do the exact same thing and then just checks for errors and tries to give you some useful information about it (it is derived from this). If you compile this application and test the interactive users by attempting to get their WindowsIdentity token and it succeeds for them, then the issue was one of the ones listed earlier in the post on data connection delegation issues. If acquiring the token fails, then you most likely have an AD issue. Dave, Denny and I will try to keep adding information about what the possible configuration errors could be, but here is some code so you can test this on your own and perhaps resolve the whole problem without having to call CSS.

Read more...

 

Tags: sharepoint, security

 

2007-2015 VidasSoft Systems Inc.