As noted in a previous blog post on debugging “The data connection uses windows authentication and user credentials could not be delegated” there are times (very rare times) when the issue is a problem with your Active Directory configuration. I want to reiterate that this is rare and it is usually something as simple as the c2wts service is not running. However, we have now seen two cases of “mis-configured” Active Directories which have led to this problem. It can manifest itself as either you always get this error or you get this error for all users except a couple. To test and see if it is a problem with your Active Directory settings, I am including some code for you to compile and run. At a very low level in Excel Calculation Services, they take the User Principal Name of the interactive user and attempt to convert it to a WindowsIdentity token using c2wts. The code below attempts to do the exact same thing and then just checks for errors and tries to give you some useful information about it (it is derived from this). If you compile this application and test the interactive users by attempting to get their WindowsIdentity token and it succeeds for them, then the issue was one of the ones listed earlier in the post on data connection delegation issues. If acquiring the token fails, then you most likely have an AD issue. Dave, Denny and I will try to keep adding information about what the possible configuration errors could be, but here is some code so you can test this on your own and perhaps resolve the whole problem without having to call CSS.
Make sure to run this executable as the service account under which Excel Calculation Service is running. If you are not sure what account that is, first go to Central Admin’s “Security” page:
Then under “General Security” chose “Configure Service Accounts”:
In the drop down list on the right side you are looking for a “Service Application Pool” which contains your “Excel Services Application Web Service Application” (in the middle list). The account at the bottom would be the account you want to make sure you run the test application as to accurately simulate what ECS is doing when you are actually using SharePoint. Using the wrong account might give misleading results.
You must provide the User Principle Name (UPN) of the interactive user to the test application. All users have an implicit UPN which can be expressed as <user>@<domain> (I would be “leegr@redmond”). You may also have been given an explicit UPN which might look slightly different (although the implicit UPN would still work). If you are concerned that you are not using the right UPN, you can dig through the ULS log to find the UPN associated with the failure. This is the log entry that I got when I turned the c2wts service off:
SPSecurityContext.WindowsIdentity: Could not retrieve a valid windows identity for NTName=’REDMOND\leegr’, UPN=’leegr@microsoft.com’. UPN is required when Kerberos constrained delegation is used.
Note that the bit about “Kerberos” can be ignored because we do not require Kerberos constrained delegation to work (and neither does c2wts … it just returns a limited token in this case which is fine for us). Also, your log entry might look a bit different since I don’t know if they output different things to the log based on the exception type at this level.
To compile this code, you need to link to:
- Microsoft.IdentityModel
- System
- System.Core
- System.IdentityModel
- System.ServiceModel
using System;
using System.Security.Principal;
using System.ServiceModel;
using System.ServiceModel.Security;
using Microsoft.IdentityModel.WindowsTokenService;
namespace C2WTSTest
{
class Program
{
static void OutputUsage()
{
Console.WriteLine(“Usage:”);
Console.WriteLine(“/tc2wtstest.exe <upn>”);
Console.WriteLine(“/tExample: c2wtstest.exe dwickert@redmond”);
}
static void Main(string[] args)
{
if ((args.Length != 1) || (string.Compare(args[0], “/?”) == 0) || (string.Compare(args[0], “-?”) == 0) || (string.Compare(args[0], “?”) == 0))
{
OutputUsage();
return;
}
string upn = args[0];
WindowsIdentity windowsIdentity = null;
if (!String.IsNullOrEmpty(upn))
{
try
{
Console.WriteLine(“Attempting to acquire windows identity for upn: ‘{0}’”, upn);
windowsIdentity = S4UClient.UpnLogon(upn);
}
catch (SecurityAccessDeniedException)
{
Console.WriteLine(“Could not map the upn claim to a valid windows identity. Security Access Denied”);
return;
}
catch (EndpointNotFoundException)
{
Console.WriteLine(“Could not map the upn claim to a valid windows identity because the c2wts service was unavailable”);
return;
}
catch (FaultException e)
{
Console.WriteLine(“Could not map the upn claim to a valid windows identity because the c2wts service returned a fault”);
Console.WriteLine(e.ToString());
return;
}
catch (Exception e)
{
Console.WriteLine(“Could not map the upn claim to a valid windows identity because of an unexpected exception”);
Console.WriteLine(e.ToString());
return;
}
}
else
{
throw new Exception(“No UPN claim found”);
}
using (WindowsImpersonationContext ctxt = windowsIdentity.Impersonate())
{
Console.WriteLine(“Successfully acquired token and impersonated user: ‘{0}’”, WindowsIdentity.GetCurrent().Name);
}
}
}
}
HTH
Lee
