none
The data connection uses windows authentication and user credentials could not be delegated. RRS feed

  • Question

  • Hello,

    In advance, thanks for your time.

    I've made an installation of a new farm Sharepoint 2010 SP 1 with SQL Server 2012. I've Installed the basic services and added a PowerPivot instance in the WFE.

    I Have 3 accounts: Setup, FarmAdmin and Services. All of them are domain accounts. When checking out the Health Notificatios it said that there were a couple of services that were run with the FarmAdmin Account and that I should switch them. Well I did, and by accident I changed the Windows Claim account to utilize the DOMAIN\Services account. Since I changed it I can't get PowerPivot to work: if I click on a slicer I get the error stated at this post's title.

    Can someone help me? How can I get the Claims Service back to utilize the "Local System" account? In the central administration I don't get to pick the Local system account...

    The ULS Logs show this:

    SPSecurityContext.WindowsIdentity: Could not retrieve a valid windows identity for NTName='Domain\username', UPN='usermail@mail.com'. UPN is required when Kerberos constrained delegation is used. Exception: System.ArgumentException: Token cannot be zero.    

     at System.Security.Principal.WindowsIdentity.CreateFromToken(IntPtr userToken)    
     at System.Security.Principal.WindowsIdentity..ctor(IntPtr userToken, String authType, Int32 isAuthenticated)    
     at System.Security.Principal.WindowsIdentity..ctor(IntPtr userToken)    
     at Microsoft.IdentityModel.WindowsTokenService.S4UClient.CallService(Func`2 contractOperation)    
     at Microsoft.SharePoint.SPSecurityContext.GetWindowsIdentity().

    MossHost.TryGetWindowsIdentity: Failed to get WindowsIdentity from IClaimsIdentity. SPSecurityContext.GetWindowsIdentity() threw exception: System.InvalidOperationException: Could not retrieve a valid Windows identity. ---> System.ArgumentException: Token cannot be zero.    
     at System.Security.Principal.WindowsIdentity.CreateFromToken(IntPtr userToken)    
     at System.Security.Principal.WindowsIdentity..ctor(IntPtr userToken, String authType, Int32 isAuthenticated)    
     at System.Security.Principal.WindowsIdentity..ctor(IntPtr userToken)    
     at Microsoft.IdentityModel.WindowsTokenService.S4UClient.CallService(Func`2 contractOperation)    
     at Microsoft.SharePoint.SPSecurityContext.GetWindowsIdentity()     -
     -- End of inner exception stack trace ---    
     at Microsoft.SharePoint.SPSecurityContext.GetWindowsIdentity()    
     at Microsoft.Office.Excel.Server.MossHost.MossHost.<>c__DisplayClass8.<TryGetWindowsIdentity>b__6()

    CredentialsProvider.GetCredentials: Failed to get WindowsIdentity.

    Credential delegation failed because Excel Services Application was unable to obtain a Windows Identity.

    Thanks


    Carlos Roberto Vargas

    Tuesday, June 5, 2012 9:40 PM

Answers

  • Hi Carlos,

    Please refer to this link:http://msdn.microsoft.com/en-us/library/ff487975.aspx

    There are multiple causes for this error message. The common factor behind all of them is that Excel Services cannot get a valid Windows user identity from a claims token in SharePoint. In the case of Excel workbooks that contain PowerPivot data, this error occurs when any of the following conditions exist:

    • The Claims to Windows Token Service is not running. You can confirm the cause of this error by viewing the SharePoint log file. If the SharePoint logs include the message "The pipe endpoint 'net.pipe://localhost/s4u/022694f3-9fbd-422b-b4b2-312e25dae2a2' could not be found on your local machine", the Claims to Windows Token Service is not running. To start it, use Central Administration and then verify the service is running in the Services console application.

    • A domain controller is not available to validate the user identity. The Claims to Windows Token Service does not use cached credentials. It validates the user identity for each connection. You can confirm the cause of this error by viewing the SharePoint log file. If the SharePoint logs include the message "Failed to get WindowsIdentity from IClaimsIdentity", the user identity could not be authenticated.

    • The computers must be members of the same domain or in domains that have a two-way trust relationship.

    • You must use Windows domain user accounts. The accounts must have a Universal Principal Name (UPN).

    • The Excel Services service account must have Active Directory permissions to query the object.


    Use the following instructions to check the status of the Claims to Windows Token Service.

    For all other scenarios, check with your network administrator.

    Enable Claims to Windows Token Service

    1. In Central Administration, in System Settings, click Manage services on server.

    2. Select Claims to Windows Token Service, and then click Start.

    3. Verify the service is also running in the Services console:

      1. In Administrative Tools, click Services.

      2. Start the Claims to Windows Token Service if it is not running.

    Here is a similar issue, it also will help you:
    http://social.msdn.microsoft.com/Forums/en-US/sqlkjpowerpointforsharepoint/thread/4e6287f7-451b-4eec-9bef-52112587ff20

    Thanks,
    Lhan Han


    Thursday, June 7, 2012 6:52 AM
    Moderator

All replies

  • Hi Carlos,

    Please refer to this link:http://msdn.microsoft.com/en-us/library/ff487975.aspx

    There are multiple causes for this error message. The common factor behind all of them is that Excel Services cannot get a valid Windows user identity from a claims token in SharePoint. In the case of Excel workbooks that contain PowerPivot data, this error occurs when any of the following conditions exist:

    • The Claims to Windows Token Service is not running. You can confirm the cause of this error by viewing the SharePoint log file. If the SharePoint logs include the message "The pipe endpoint 'net.pipe://localhost/s4u/022694f3-9fbd-422b-b4b2-312e25dae2a2' could not be found on your local machine", the Claims to Windows Token Service is not running. To start it, use Central Administration and then verify the service is running in the Services console application.

    • A domain controller is not available to validate the user identity. The Claims to Windows Token Service does not use cached credentials. It validates the user identity for each connection. You can confirm the cause of this error by viewing the SharePoint log file. If the SharePoint logs include the message "Failed to get WindowsIdentity from IClaimsIdentity", the user identity could not be authenticated.

    • The computers must be members of the same domain or in domains that have a two-way trust relationship.

    • You must use Windows domain user accounts. The accounts must have a Universal Principal Name (UPN).

    • The Excel Services service account must have Active Directory permissions to query the object.


    Use the following instructions to check the status of the Claims to Windows Token Service.

    For all other scenarios, check with your network administrator.

    Enable Claims to Windows Token Service

    1. In Central Administration, in System Settings, click Manage services on server.

    2. Select Claims to Windows Token Service, and then click Start.

    3. Verify the service is also running in the Services console:

      1. In Administrative Tools, click Services.

      2. Start the Claims to Windows Token Service if it is not running.

    Here is a similar issue, it also will help you:
    http://social.msdn.microsoft.com/Forums/en-US/sqlkjpowerpointforsharepoint/thread/4e6287f7-451b-4eec-9bef-52112587ff20

    Thanks,
    Lhan Han


    Thursday, June 7, 2012 6:52 AM
    Moderator
  • Hello Lah,

    Thank you for the articles! The issue was finally resolved by changing the Windows Claim service back to be run by "Local System" account. I couldn't do it through central administration but I did it through the Windows Server Services

    Thanks


    Carlos Roberto Vargas

    Friday, June 8, 2012 9:23 PM
  • Once CTWTS has been set to run under the credentials of a Managed Account
    (which should always be the case), there is no way to set this back to the
    default setting within Central Admin (Local System) - this is because Local
    System is not recognised as a Managed Account.

    Get-SPServiceInstance
    Get-SPServiceInstance -identity <Paste the C2WTS Id>
    $claims = get-spserviceinstance -identity <Paste the C2WTS Id>

    $claims.Service.ProcessIdentity.CurrentIdentityType=0
    $claims.Service.ProcessIdentity.Update()
    $claims.Service.ProcessIdentity.Deploy()
    $claims.Service.ProcessIdentity
    --The '0'is the IdentityTpe.LocalSystem---
    Monday, February 11, 2013 2:26 PM