ERROR: Could not retrieve a valid windows identity

All replies

• 

  

  0

  Sign in to vote

  please read http://blogs.msdn.com/b/rodneyviana/archive/2011/07/19/troubleshooting-claims-to-windows-nt-token-service-c2wts-in-sharepoint-2010-may-be-difficult-if-you-don-t-know-where-to-start.aspx

  Thursday, January 3, 2013 8:28 AM
• 

  

  0

  Sign in to vote

  Hi GuYuming

  I have already read the mentioned blog. Code mentioned there gives me the following output. 

  I have already verified that the c2WTS service is running and it's dependency 'Cryptographic services' is also running.

  Where is the root cause? How can I resolve this?

  Output of the code on the mentioned blog:

  Testing Service c2WTS
   +- Service c2WTS found
   +- Service c2WTS is running
   +- Path of service: C:\Program Files\Windows Identity Foundation\v3.5\c2wtshost.exe
   +- Config File: C:\Program Files\Windows Identity Foundation\v3.5\c2wtshost.exe.config
   +- Service Logon: SYSTEM\NT AUTHORITY
  ----- start of config file ----
  <?xml version="1.0"?>
  <configuration>
    <configSections>
      <section name="windowsTokenService" type="Microsoft.IdentityModel.WindowsTokenService.Configuration.WindowsTokenServiceSection, Microsoft.IdentityModel.WindowsTokenService, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
    </configSections>
    <startup>
      <supportedRuntime version="v4.0" />
      <supportedRuntime version="v2.0.50727" />
    </startup>
    <windowsTokenService>
      <!--
          By default no callers are allowed to use the Windows Identity Foundation Claims To NT Token Service.
          Add the identities you wish to allow below.
        -->
      <allowedCallers>
        <clear />
        <add value="WSS_WPG" />
      </allowedCallers>
    </windowsTokenService>
  </configuration>
  -----  end of config file  ----
  Retrieving security groups/users allowed to use the service from config file
   +- WSS_WPG
  Trying to login .........
  Using current Windows Credentials
  ***** c2WTS could not provide a valid Windows Token. Reason: WTS0003: The caller is not authorized to access the service.
  
  Server stack trace: 
     at System.ServiceModel.Channels.ServiceChannel.ThrowIfFaultUnderstood(Message reply, MessageFault fault, String action, MessageVersion version, FaultConverter faultConverter)
     at System.ServiceModel.Channels.ServiceChannel.HandleReply(ProxyOperationRuntime operation, ProxyRpc& rpc)
     at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
     at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
     at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
  
  Exception rethrown at [0]: 
     at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
     at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
     at Microsoft.IdentityModel.WindowsTokenService.S4UClient.IS4UService_dup.UpnLogon(String upn, Int32 pid)
     at Microsoft.IdentityModel.WindowsTokenService.S4UClient.<>c__DisplayClass1.<UpnLogon>b__0(IS4UService_dup channel)
     at Microsoft.IdentityModel.WindowsTokenService.S4UClient.CallService(Func`2 contractOperation)
     at c2WTSTest.Form1.button2_Click(Object sender, EventArgs e)
  
  Now Verifying if user DOMAIN/monish has rights on c2WTS
   +- User  DOMAIN/monish has no access to the service
  *** Analysis Complete ***
  

  
  

  ---

  Monish Gupta

  
  

  • Edited by monishgupta Friday, January 4, 2013 6:09 AM restructured

  Friday, January 4, 2013 6:08 AM
• 

  

  0

  Sign in to vote

      <allowedCallers>
        <clear />
        <add value="WSS_WPG" />
      </allowedCallers>

  Now Verifying if user DOMAIN/monish has rights on c2WTS
  +- User  DOMAIN/monish has no access to the service

  So, please add DOMAIN/monish into the WSS_WPG group

  Friday, January 4, 2013 6:18 AM
• 

  

  0

  Sign in to vote

  I verified, I(DOMAIN\monish) am already added as a member in the WSS_WPG group. But still I got the above mentioned exception/error. What else could be wrong?

  I tried opening a powerview report, I got the following exception which shows a different inner exception now. (Ealier, it was showing EndpointNotFoundException)

  LOGS:

  01/05/2013 10:57:04.71 w3wp.exe (0x15F4) 0x2B58 SharePoint Foundation Claims Authentication bz7l Medium SPSecurityContext: Could not retrieve a valid windows identity for username 'FAREAST\monishg' with UPN 'monishg@microsoft.com'. UPN is required when Kerberos constrained delegation is used. Exception: System.ServiceModel.FaultException`1[System.ServiceModel.ExceptionDetail]: WTS0003: The caller is not authorized to access the service. (Fault Detail is equal to An ExceptionDetail, likely created by IncludeExceptionDetailInFaults=true, whose value is: System.UnauthorizedAccessException: WTS0003: The caller is not authorized to access the service.    at Microsoft.IdentityModel.WindowsTokenService.CallerSecurity.CheckCaller(WindowsIdentity callerIdentity)     at Microsoft.IdentityModel.WindowsTokenService.S4UServiceContract.PerformLogon(Func`1 logonOperation, Int32 pid)     at SyncInvokeUpnLogon(Object , Object[] , Object[] )     at System.ServiceModel.Dispatcher.SyncMethodInvoker.Invoke(Object instance, Object[] inputs, Object[]& outputs)     at System.ServiceModel.Dispatcher.DispatchOperationRuntime.InvokeBegin(MessageRpc& rpc)     at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage5(MessageRpc& rpc)     at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage31(MessageRpc& rpc)     at System.ServiceModel.Dispatcher.MessageRpc.Process(Boolean isOperationContextSet)).. a0b5f19b-b2fa-208e-cd5e-467a0c0e0fcf
  

  ---

  Monish Gupta

  
  
  
  

  • Edited by monishgupta Saturday, January 5, 2013 5:41 AM highlighted the relevant error

  Saturday, January 5, 2013 5:28 AM
• 

  

  0

  Sign in to vote

  the WSS_WPG is a domain scope security group, could you please change it to universial scope (http://support.microsoft.com/kb/231273)?
  

  Update: it happend to be like this since i my test server is one of domain controller, which means there is no local machine group. And i had verified the replication with http://blogs.technet.com/b/askds/archive/2012/08/23/ad-replication-status-tool-is-live.aspx

  On a domain member server, i can see that the WSS_WPG is just a computer local group. And i just realized that if you have SharePoint server on both DC and member server, then, on the member server, you will have both domain WSS_WPG group and local computer WSS_WPG group, which could make the problem complicated:

  in  Microsoft.IdentityModel.WindowsTokenService.CallerSecurity.CheckCaller, we had to find out what is the value of calleridentity parameter and what is _allowedCallers.

  
  
  

  • Edited by GuYuming Friday, January 11, 2013 8:50 AM

  Monday, January 7, 2013 1:40 AM
• 

  

  0

  Sign in to vote

  I don't have permissions to change scope of security group. How would changing the scope solve the problem because Power View Reports were working well at one point of time.

  ---

  Monish Gupta

  Monday, January 7, 2013 5:17 PM
• 

  

  0

  Sign in to vote

  i happened to run into the same error with the tools in http://blogs.msdn.com/b/rodneyviana/archive/2011/07/19/troubleshooting-claims-to-windows-nt-token-service-c2wts-in-sharepoint-2010-may-be-difficult-if-you-don-t-know-where-to-start.aspx . Then i enabled WCF tracing (http://msdn.microsoft.com/en-us/library/ms733025.aspx) for the c2wts service, by editing the c2wtshost.exe.config file in SvcConfigEditor, in the trace log generated, i can find the following error message:

  Exception details: System.UnauthorizedAccessException: WTS0003: The caller is not authorized to access the service.
     at Microsoft.IdentityModel.WindowsTokenService.CallerSecurity.CheckCaller(WindowsIdentity callerIdentity)
     at Microsoft.IdentityModel.WindowsTokenService.S4UServiceContract.PerformLogon(Func`1 logonOperation, Int32 pid)
     at SyncInvokeUpnLogon(Object , Object[] , Object[] )

  Opening the CheckCaller method in .net reflector, it can be infered WindowsPrincipal.IsInRole returns false when true is expected. According to http://msdn.microsoft.com/en-us/library/fs485fwh.aspx : When testing for newly created role information, such as a new user or a new group, it is important to log out and log in to force the propagation of role information within the domain. I have just promoted a new DC in my testing domain, i guess there is configuration issue somewhere.

  Wednesday, January 9, 2013 7:00 AM
• 

  

  0

  Sign in to vote

   

  A quick test just then shows that with both local computer WSS_WPG group and domain WSS_WPG group, and <add value="WSS_WPG" /> specified on member computer, the domain WSS_WPG is neglected. If i remove the use from local computer groups, the tools will give WTS0003 error even if the user still exists in domain WSS_WPG group.

  
  update: "When testing for newly created role information, such as a new user or a new group, it is important to log out and log in to force the propagation of role information within the domain" still hold true when i add user into local computer WSS_WPG group, i had to log out and log in to pass the test with the tool.

  • Edited by GuYuming Friday, January 11, 2013 9:00 AM
  • Marked as answer by GuYuming Sunday, January 27, 2013 8:06 AM

  Friday, January 11, 2013 8:53 AM
• 

  

  0

  Sign in to vote

  why does the moderator mark his own reply as answer? I am having the same issue and the solution is not posted.

  Tuesday, March 19, 2013 1:07 PM
• 

  

  0

  Sign in to vote

  I am having very close to the same issue as well.  Going to post a similar question on the forum here in a moment.

  Wednesday, March 20, 2013 9:18 PM
• 

  

  3

  Sign in to vote

  If you folks haven't solved your problem, I would recommend you to check these settings.

  1. For the service account that is running claims to windows token service, it needs to have these privileges on each and every server where the service is running:

   i.            Act as part of the operating system
   ii.           Impersonate a client after authentication
   iii.           Log on as a service

  You can enable above settings by going into Administrative Tools > Local Security Policy > Local Policies > User Rights Assignment.

  2. Service account needs to be a member of local admin group.

  3. Service account needs to have delegation turned on.
  (http://technet.microsoft.com/en-us/library/hh231678.aspx) <-- look at step.1 in the article.

  I had the same problem and was able to solve it using the above changes.

  • Proposed as answer by MrPack Wednesday, May 13, 2015 11:39 AM

  Monday, April 1, 2013 8:36 PM
• 

  

  0

  Sign in to vote

  On the delegation tab for the C2WTS account, "Trust this user for delegation to the specified services only"
  What services/accounts do I add here?

  Thursday, April 11, 2013 7:45 PM
• 

  

  0

  Sign in to vote

  c2wts service runs on local system account, as it default to.

  So, your computer account in Active Directory User and Computer setting (it can be under computers folder or domain controllers folder), should have delegation tab configured. 

  Network Service account may not work for the TCB permission talked about in http://msdn.microsoft.com/en-us/magazine/cc188757.aspx

  
  

  • Edited by GuYuming Friday, April 12, 2013 2:34 AM

  Friday, April 12, 2013 2:32 AM
• 

  

  0

  Sign in to vote

  The local security policy was also the fix in my case.  Since deploying SharePoint to our SQL server was a secondary effort, we didn't run through the same prep as we did for the WFE servers. 

  Friday, January 10, 2014 2:56 PM
• 

  

  0

  Sign in to vote

  http://support.microsoft.com/kb/2722087

  c2wts service also runs on domain account

  Friday, May 16, 2014 6:10 AM