none
ERROR: Could not retrieve a valid windows identity RRS feed

  • Question

  • When I try to create PowerView reports from BISM connection file, I get error:

    <MoreInformation>
    <Source>Microsoft.ReportingServices.ProcessingCore</Source>
    <Message msrs:ErrorCode="rsErrorOpeningConnection" msrs:HelpLink="http://go.microsoft.com/fwlink/?LinkId=20476&amp;EvtSrc=Microsoft.ReportingServices.Diagnostics.Utilities.ErrorStrings&amp;EvtID=rsErrorOpeningConnection&amp;ProdName=Microsoft%20SQL%20Server%20Reporting%20Services&amp;ProdVer=11.0.3000.0" xmlns:msrs="http://www.microsoft.com/sql/reportingservices">Cannot create a connection to data source 'TemporaryDataSource'.</Message>
    <MoreInformation>
    <Source>Microsoft.AnalysisServices.AdomdClient</Source>
    <Message/>
    <MoreInformation>
    <Source>Microsoft.SharePoint</Source>
    <Message>Could not retrieve a valid Windows identity.</Message>
    <MoreInformation>
    <Source>mscorlib</Source>
    <Message>WTS0003: The caller is not authorized to access the service.</Message>
    </MoreInformation>
    </MoreInformation>
    </MoreInformation>
    </MoreInformation>


    From SharePoint logs: I get following exception details:

    01/02/2013 11:00:34.17            w3wp.exe (0x0828)        0x2AEC SharePoint Foundation  Claims Authentication                bz7l        Medium               SPSecurityContext: Could not retrieve a valid windows identity for username 'DOMAIN\user' with UPN 'user@domain'. UPN is required when Kerberos constrained delegation is used. Exception: System.ServiceModel.EndpointNotFoundException: The message could not be dispatched because the service at the endpoint address 'net.pipe://localhost/s4u/022694f3-9fbd-422b-b4b2-312e25dae2a2' is unavailable for the protocol of the address.    Server stack trace:      at System.ServiceModel.Channels.ConnectionUpgradeHelper.DecodeFramingFault(ClientFramingDecoder decoder, IConnection connection, Uri via, String contentType, TimeoutHelper& timeoutHelper)     at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.SendPreamble(IConnection connection, ArraySegment`1 preamble, TimeoutHelper& timeoutHelper)     at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.DuplexConnectionPoolHelper.AcceptPooledConnection(IConnection connection, TimeoutHelper& timeoutHelper)     at System.ServiceModel.Channels.ConnectionPoolHelper.EstablishConnection(TimeSpan timeout)     at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.OnOpen(TimeSpan timeout)     at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)     at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)     at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)     at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade)     at System.ServiceModel.Channels.ServiceChannel.EnsureOpened(TimeSpan timeout)     at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)     at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)     at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)    Exception rethrown at [0]:      at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)     at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)     at Microsoft.IdentityModel.WindowsTokenService.S4UClient.IS4UService_dup.UpnLogon(String upn, Int32 pid)     at Microsoft.IdentityModel.WindowsTokenService.S4UClient.CallService(Func`2 contractOperation)     at Microsoft.SharePoint.SPSecurityContext.GetWindowsIdentity().                a1bef09b-025a-208e-cd5e-4ef6678b6d0d

    Any help on how to get this resolved would be greatly appreciated.
    Wednesday, January 2, 2013 6:44 AM

Answers

  •  

    A quick test just then shows that with both local computer WSS_WPG group and domain WSS_WPG group, and <add value="WSS_WPG" /> specified on member computer, the domain WSS_WPG is neglected. If i remove the use from local computer groups, the tools will give WTS0003 error even if the user still exists in domain WSS_WPG group.


    update: "When testing for newly created role information, such as a new user or a new group, it is important to log out and log in to force the propagation of role information within the domain" still hold true when i add user into local computer WSS_WPG group, i had to log out and log in to pass the test with the tool.
    • Edited by GuYuming Friday, January 11, 2013 9:00 AM
    • Marked as answer by GuYuming Sunday, January 27, 2013 8:06 AM
    Friday, January 11, 2013 8:53 AM

All replies

  • Hi GuYuming

    I have already read the mentioned blog. Code mentioned there gives me the following output. 

    I have already verified that the c2WTS service is running and it's dependency 'Cryptographic services' is also running.

    Where is the root cause? How can I resolve this?

    Output of the code on the mentioned blog:

    Testing Service c2WTS
     +- Service c2WTS found
     +- Service c2WTS is running
     +- Path of service: C:\Program Files\Windows Identity Foundation\v3.5\c2wtshost.exe
     +- Config File: C:\Program Files\Windows Identity Foundation\v3.5\c2wtshost.exe.config
     +- Service Logon: SYSTEM\NT AUTHORITY
    ----- start of config file ----
    <?xml version="1.0"?>
    <configuration>
      <configSections>
        <section name="windowsTokenService" type="Microsoft.IdentityModel.WindowsTokenService.Configuration.WindowsTokenServiceSection, Microsoft.IdentityModel.WindowsTokenService, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
      </configSections>
      <startup>
        <supportedRuntime version="v4.0" />
        <supportedRuntime version="v2.0.50727" />
      </startup>
      <windowsTokenService>
        <!--
            By default no callers are allowed to use the Windows Identity Foundation Claims To NT Token Service.
            Add the identities you wish to allow below.
          -->
        <allowedCallers>
          <clear />
          <add value="WSS_WPG" />
        </allowedCallers>
      </windowsTokenService>
    </configuration>
    -----  end of config file  ----
    Retrieving security groups/users allowed to use the service from config file
     +- WSS_WPG
    Trying to login .........
    Using current Windows Credentials
    ***** c2WTS could not provide a valid Windows Token. Reason: WTS0003: The caller is not authorized to access the service.

    Server stack trace: 
       at System.ServiceModel.Channels.ServiceChannel.ThrowIfFaultUnderstood(Message reply, MessageFault fault, String action, MessageVersion version, FaultConverter faultConverter)
       at System.ServiceModel.Channels.ServiceChannel.HandleReply(ProxyOperationRuntime operation, ProxyRpc& rpc)
       at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
       at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
       at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

    Exception rethrown at [0]: 
       at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
       at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
       at Microsoft.IdentityModel.WindowsTokenService.S4UClient.IS4UService_dup.UpnLogon(String upn, Int32 pid)
       at Microsoft.IdentityModel.WindowsTokenService.S4UClient.<>c__DisplayClass1.<UpnLogon>b__0(IS4UService_dup channel)
       at Microsoft.IdentityModel.WindowsTokenService.S4UClient.CallService(Func`2 contractOperation)
       at c2WTSTest.Form1.button2_Click(Object sender, EventArgs e)

    Now Verifying if user DOMAIN/monish has rights on c2WTS
     +- User  DOMAIN/monish has no access to the service
    *** Analysis Complete ***



    Monish Gupta


    • Edited by monishgupta Friday, January 4, 2013 6:09 AM restructured
    Friday, January 4, 2013 6:08 AM
  •     <allowedCallers>
          <clear />
          <add value="WSS_WPG" />
        </allowedCallers>

    Now Verifying if user DOMAIN/monish has rights on c2WTS
    +- User  DOMAIN/monish has no access to the service

    So, please add DOMAIN/monish into the WSS_WPG group

    Friday, January 4, 2013 6:18 AM
  • I verified, I(DOMAIN\monish) am already added as a member in the WSS_WPG group. But still I got the above mentioned exception/error. What else could be wrong?

    I tried opening a powerview report, I got the following exception which shows a different inner exception now. (Ealier, it was showing EndpointNotFoundException)

    LOGS:

    01/05/2013 10:57:04.71 w3wp.exe (0x15F4) 0x2B58 SharePoint Foundation Claims Authentication bz7l Medium SPSecurityContext: Could not retrieve a valid windows identity for username 'FAREAST\monishg' with UPN 'monishg@microsoft.com'. UPN is required when Kerberos constrained delegation is used. Exception: System.ServiceModel.FaultException`1[System.ServiceModel.ExceptionDetail]: WTS0003: The caller is not authorized to access the service. (Fault Detail is equal to An ExceptionDetail, likely created by IncludeExceptionDetailInFaults=true, whose value is: System.UnauthorizedAccessException: WTS0003: The caller is not authorized to access the service.    at Microsoft.IdentityModel.WindowsTokenService.CallerSecurity.CheckCaller(WindowsIdentity callerIdentity)     at Microsoft.IdentityModel.WindowsTokenService.S4UServiceContract.PerformLogon(Func`1 logonOperation, Int32 pid)     at SyncInvokeUpnLogon(Object , Object[] , Object[] )     at System.ServiceModel.Dispatcher.SyncMethodInvoker.Invoke(Object instance, Object[] inputs, Object[]& outputs)     at System.ServiceModel.Dispatcher.DispatchOperationRuntime.InvokeBegin(MessageRpc& rpc)     at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage5(MessageRpc& rpc)     at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage31(MessageRpc& rpc)     at System.ServiceModel.Dispatcher.MessageRpc.Process(Boolean isOperationContextSet)).. a0b5f19b-b2fa-208e-cd5e-467a0c0e0fcf


    Monish Gupta




    • Edited by monishgupta Saturday, January 5, 2013 5:41 AM highlighted the relevant error
    Saturday, January 5, 2013 5:28 AM
  • the WSS_WPG is a domain scope security group, could you please change it to universial scope (http://support.microsoft.com/kb/231273)?

    Update: it happend to be like this since i my test server is one of domain controller, which means there is no local machine group. And i had verified the replication with http://blogs.technet.com/b/askds/archive/2012/08/23/ad-replication-status-tool-is-live.aspx

    On a domain member server, i can see that the WSS_WPG is just a computer local group. And i just realized that if you have SharePoint server on both DC and member server, then, on the member server, you will have both domain WSS_WPG group and local computer WSS_WPG group, which could make the problem complicated:

    in  Microsoft.IdentityModel.WindowsTokenService.CallerSecurity.CheckCaller, we had to find out what is the value of calleridentity parameter and what is _allowedCallers.



    • Edited by GuYuming Friday, January 11, 2013 8:50 AM
    Monday, January 7, 2013 1:40 AM
  • I don't have permissions to change scope of security group. How would changing the scope solve the problem because Power View Reports were working well at one point of time.

    Monish Gupta

    Monday, January 7, 2013 5:17 PM
  • i happened to run into the same error with the tools in http://blogs.msdn.com/b/rodneyviana/archive/2011/07/19/troubleshooting-claims-to-windows-nt-token-service-c2wts-in-sharepoint-2010-may-be-difficult-if-you-don-t-know-where-to-start.aspx . Then i enabled WCF tracing (http://msdn.microsoft.com/en-us/library/ms733025.aspx) for the c2wts service, by editing the c2wtshost.exe.config file in SvcConfigEditor, in the trace log generated, i can find the following error message:

    Exception details: System.UnauthorizedAccessException: WTS0003: The caller is not authorized to access the service.
       at Microsoft.IdentityModel.WindowsTokenService.CallerSecurity.CheckCaller(WindowsIdentity callerIdentity)
       at Microsoft.IdentityModel.WindowsTokenService.S4UServiceContract.PerformLogon(Func`1 logonOperation, Int32 pid)
       at SyncInvokeUpnLogon(Object , Object[] , Object[] )

    Opening the CheckCaller method in .net reflector, it can be infered WindowsPrincipal.IsInRole returns false when true is expected. According to http://msdn.microsoft.com/en-us/library/fs485fwh.aspx : When testing for newly created role information, such as a new user or a new group, it is important to log out and log in to force the propagation of role information within the domain. I have just promoted a new DC in my testing domain, i guess there is configuration issue somewhere.

    Wednesday, January 9, 2013 7:00 AM
  •  

    A quick test just then shows that with both local computer WSS_WPG group and domain WSS_WPG group, and <add value="WSS_WPG" /> specified on member computer, the domain WSS_WPG is neglected. If i remove the use from local computer groups, the tools will give WTS0003 error even if the user still exists in domain WSS_WPG group.


    update: "When testing for newly created role information, such as a new user or a new group, it is important to log out and log in to force the propagation of role information within the domain" still hold true when i add user into local computer WSS_WPG group, i had to log out and log in to pass the test with the tool.
    • Edited by GuYuming Friday, January 11, 2013 9:00 AM
    • Marked as answer by GuYuming Sunday, January 27, 2013 8:06 AM
    Friday, January 11, 2013 8:53 AM
  • why does the moderator mark his own reply as answer? I am having the same issue and the solution is not posted.
    Tuesday, March 19, 2013 1:07 PM
  • I am having very close to the same issue as well.  Going to post a similar question on the forum here in a moment.
    Wednesday, March 20, 2013 9:18 PM
  • If you folks haven't solved your problem, I would recommend you to check these settings.

    1. For the service account that is running claims to windows token service, it needs to have these privileges on each and every server where the service is running:

     i.            Act as part of the operating system
     ii.           Impersonate a client after authentication
     iii.           Log on as a service

    You can enable above settings by going into Administrative Tools > Local Security Policy > Local Policies > User Rights Assignment.

    2. Service account needs to be a member of local admin group.

    3. Service account needs to have delegation turned on.
    (http://technet.microsoft.com/en-us/library/hh231678.aspx) <-- look at step.1 in the article.

    I had the same problem and was able to solve it using the above changes.

    • Proposed as answer by MrPack Wednesday, May 13, 2015 11:39 AM
    Monday, April 1, 2013 8:36 PM
  • On the delegation tab for the C2WTS account, "Trust this user for delegation to the specified services only"
    What services/accounts do I add here?
    Thursday, April 11, 2013 7:45 PM
  • c2wts service runs on local system account, as it default to.

    So, your computer account in Active Directory User and Computer setting (it can be under computers folder or domain controllers folder), should have delegation tab configured. 

    Network Service account may not work for the TCB permission talked about in http://msdn.microsoft.com/en-us/magazine/cc188757.aspx


    • Edited by GuYuming Friday, April 12, 2013 2:34 AM
    Friday, April 12, 2013 2:32 AM
  • The local security policy was also the fix in my case.  Since deploying SharePoint to our SQL server was a secondary effort, we didn't run through the same prep as we did for the WFE servers. 
    Friday, January 10, 2014 2:56 PM
  • http://support.microsoft.com/kb/2722087

    c2wts service also runs on domain account

    Friday, May 16, 2014 6:10 AM