Several new SharePoint 2010 configuration issues will impacting some PowerPivot sites and I wanted to share them with you. These restrictions are with Excel Services and have to do with the way that Windows authentication is handled, i.e. you have set the Excel Services authentication set to “Windows”, not using Secure Store or “None”. This impacts PowerPivot because Excel Services treats PowerPivot as a data source. The restrictions are not limited to just PowerPivot – they apply across the board for all Excel Services data sources.
First, Excel Services requires that a domain controller be available for data access when using Windows authentication for a connection (see my earlier posting, http://powerpivotgeek.com/2009/11/06/taking-your-server-off-the-network/). Interestingly it isn’t Excel Services specifically that has this requirement, rather it is the SharePoint infrastructure component called the Geneva Token Service (GTS) that Excel Services uses requires access to the domain controller for a S4U logon to impersonate the Windows user. S4U cannot use cached credentials.
The second restriction is also a consequence of GTS. GTS requires that all domains have two-way trust relationships in order to perform its logons. A common old-style domain configuration is to have a single dedicated “account” domain (where users live) – and then multiple “resource” domains (where your servers, printers and other resources live). Typically the resource domains trust the account domain; but the account domain does not trust the resource domains (a so-called ‘one-way trust’). Service accounts live in the resource domains and thus do not have account-level access. This is a good thing. Many of the Microsoft lab domains work this way. Unfortunately if you install SharePoint in such an environment, you will find that Excel Services returns an error: “The data connection uses Windows Authentication and Excel Services is unable to delegate user credentials.“ SharePoint requires a two-way trust between domains if your machine lives in one domain and your users live in another.
