none
FBA + LDAP + SSRS= Can not convert claims identity to windows token. This may be due to user not logging in using windows credentials RRS feed

  • Question

  • Hi,

    I'm configuring a new SharePoint farm + SSRS 2012 in integrated mode.

    we are using FBA authentication with the LDAP provider.

    So the user's accounts are in the local AD.

    Is there a way to make the claims to windows working in this config?

    because SSRS raise this error:

    Can not convert claims identity to windows token. This may be due to user not logging in using windows credentials

    does using ADFS + SSO support this?

    do I have to create my own LDAP provider?

    I dont see a UPN token in the list of tokens for the user, is it the missing information? if yes how can I add it?

    Wednesday, December 4, 2013 2:24 PM

Answers

  • There is no way to create a Windows claim from an FBA claim. It extracts the claim from the HTTPContext.

        WindowsIdentity identity = null;
        string str = context.Request.ServerVariables["LOGON_USER"];
        string str2 = context.Request.ServerVariables["AUTH_TYPE"];
        if ((string.IsNullOrEmpty(str) || string.IsNullOrEmpty(str2)) || string.Equals(str2, "Federation", StringComparison.OrdinalIgnoreCase))
        {
            return identity;
        }
        IClaimsIdentity identity2 = Thread.CurrentPrincipal.Identity as IClaimsIdentity;
        if ((identity2 != null) && identity2.IsAuthenticated)
        {
            return identity;
        }
        HttpWorkerRequest service = ((IServiceProvider) context).GetService(typeof(HttpWorkerRequest)) as HttpWorkerRequest;
        if (service == null)
        {
            return identity;
        }
        try
        {
            return new WindowsIdentity(service.GetUserToken(), str2, WindowsAccountType.Normal, true);
        }
    


    Trevor Seward, MCC

    Follow or contact me at...
      

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Monday, December 9, 2013 4:29 PM
    Moderator
  • I had a somewhat similar requirement a while ago (to do Certificate based Auth against SharePoint and be able to delegate Credentials to SQL Backends through C2WTS)

    The customer decided against a coded solution, so I haven't look to deep into the C2WTS inner workings. However I can imagine you could try having a look at the implementation of the C2WTS Service in SharePoint through reflection and get some details out of it and then try building your own claims Provider to match the requirements.

    In our case we ended up Publishing the SharePoint webapp through TMG which took care of the Auth and then delegated Credentials through Kerberos to SharePoint. This way SharePoint gets a Windows Token and implicitly Windows Claims which can be used with C2WTS for further Delegation. Unfortunately TMG was discontinued, so I don't know if you can still get it, but you could try the web app proxy functionality in Server 2012 R2.

    http://technet.microsoft.com/en-us/library/dn280944.aspx

    Monday, December 9, 2013 5:06 PM

All replies

  • Is the Claims to Windows Token service running in the farm? SSRS 2012 supports all forms of Claims identities.

    Trevor Seward, MCC

    Follow or contact me at...
      

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Wednesday, December 4, 2013 2:58 PM
    Moderator
  • yes its running.

    is there a way to test it?

    Wednesday, December 4, 2013 3:33 PM
  • What account is it running under?

    Trevor Seward, MCC

    Follow or contact me at...
      

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Wednesday, December 4, 2013 3:35 PM
    Moderator
  • I'm using a domain account.

    the .config file allows the WSS_WPG group allowed

    Wednesday, December 4, 2013 3:52 PM
  • Can you verify the account is a Local Administrator and has these three rights on the SharePoint server:

    Act as part of the operating system
    Impersonate a client after authentication
    Log on as a service


    Trevor Seward, MCC

    Follow or contact me at...
      

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Wednesday, December 4, 2013 3:58 PM
    Moderator
  • yes, everything in place.

    the Kerberos delegation works fine, but I have to use FBA not windows authentication.

    Wednesday, December 4, 2013 4:02 PM
  • Okay, re-thinking this one you must use Windows credentials and not FBA (even if FBA is sourced from Active Directory). Kerberos isn't going to function with FBA (for the user logging in with FBA). The error makes sense because the user isn't logging in with a Windows Claim, but a Forms-based claim, so it can't be converted to a Windows token.

    Unfortunately it looks like you've run into a limitation of the system.


    Trevor Seward, MCC

    Follow or contact me at...
      

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Saturday, December 7, 2013 5:12 AM
    Moderator
  • and what's the purpose of this module

          <add name="SPWindowsClaimsAuthentication" type="Microsoft.SharePoint.IdentityModel.SPWindowsClaimsAuthenticationHttpModule, Microsoft.SharePoint.IdentityModel, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />

    what the SPWindowsClaimsAuthentication module does?

    does it convert a claim into a windows account?

    Somewhere SharePoint is able to convert a windows claim into a windows account for impersonation. so its certainly possible to do the same thing without using the windows authentication but FBA.

    Monday, December 9, 2013 3:27 PM
  • What are you attempting to do at this point? You need to use Windows Claims in your situation.

    Trevor Seward, MCC

    Follow or contact me at...
      

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Monday, December 9, 2013 3:56 PM
    Moderator
  • Hi,

    like Trevor said, it only works with Windows incoming auth:

    " [..]It is important to understand that these service applications can use the C2WTS only if the incoming authentication method is either Windows claims or Windows classic mode [...]"

    http://technet.microsoft.com/en-us/library/ee806870.aspx

    The SPWindowsClaimsAuthentication Module creates Windows Claims from Windows Tokens and the Claims To Windows Token Service creates Kerberos Tickets from Claims Tokens.

    Andrei

    Monday, December 9, 2013 3:59 PM
  • " [..]It is important to understand that these service applications can use the C2WTS only if the incoming authentication method is either Windows claims or Windows classic mode [...]"

    ok, I understand this.

    so is there a way to create a Windows claim from an FBA claim?

    so a custom module? or a custom authentication provider?

    there is certainly more than 1 way to create a windows claim.

    what's the SharePoint services try to found in their code prior to call the C2WTS? do they looking for a specific token in the claim (like the upn token must be present?)? or does the current HTTP context must have a specific type (ie: the SharePoint service uses typeof against the identity object)?

    Monday, December 9, 2013 4:26 PM
  • There is no way to create a Windows claim from an FBA claim. It extracts the claim from the HTTPContext.

        WindowsIdentity identity = null;
        string str = context.Request.ServerVariables["LOGON_USER"];
        string str2 = context.Request.ServerVariables["AUTH_TYPE"];
        if ((string.IsNullOrEmpty(str) || string.IsNullOrEmpty(str2)) || string.Equals(str2, "Federation", StringComparison.OrdinalIgnoreCase))
        {
            return identity;
        }
        IClaimsIdentity identity2 = Thread.CurrentPrincipal.Identity as IClaimsIdentity;
        if ((identity2 != null) && identity2.IsAuthenticated)
        {
            return identity;
        }
        HttpWorkerRequest service = ((IServiceProvider) context).GetService(typeof(HttpWorkerRequest)) as HttpWorkerRequest;
        if (service == null)
        {
            return identity;
        }
        try
        {
            return new WindowsIdentity(service.GetUserToken(), str2, WindowsAccountType.Normal, true);
        }
    


    Trevor Seward, MCC

    Follow or contact me at...
      

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Monday, December 9, 2013 4:29 PM
    Moderator
  • I had a somewhat similar requirement a while ago (to do Certificate based Auth against SharePoint and be able to delegate Credentials to SQL Backends through C2WTS)

    The customer decided against a coded solution, so I haven't look to deep into the C2WTS inner workings. However I can imagine you could try having a look at the implementation of the C2WTS Service in SharePoint through reflection and get some details out of it and then try building your own claims Provider to match the requirements.

    In our case we ended up Publishing the SharePoint webapp through TMG which took care of the Auth and then delegated Credentials through Kerberos to SharePoint. This way SharePoint gets a Windows Token and implicitly Windows Claims which can be used with C2WTS for further Delegation. Unfortunately TMG was discontinued, so I don't know if you can still get it, but you could try the web app proxy functionality in Server 2012 R2.

    http://technet.microsoft.com/en-us/library/dn280944.aspx

    Monday, December 9, 2013 5:06 PM