How to configure Claim to Windows Token Services in SharePoint 2010 with Kerberos Authentication

This article describes some common Kerberos configuration issues with Claims to Windows Token Services (C2WTS) that occurs when setting up SharePoint service application with Kerberos.

The Claims to Windows Token Service (C2WTS) is a component of the Windows Identity Foundation (WIF) which is responsible for converting user claim tokens to windows tokens. Excel services uses the C2WTS to convert the user’s claims token into a windows token when the services needs to delegate credentials to a back-end system which uses Integrated Windows authentication. WIF is deployed with SharePoint Server 2010 and the C2WTS can be started from Central Administration.

Each SharePoint service application must run the C2WTS locally. The C2WTS does not open any ports and cannot be accessed by a remote caller. Further, the C2WTS service configuration file must be configured to specifically trust the local calling client identity. 

As a best practice you should run the C2WTS using a dedicated service account and not as Local System (the default configuration). But Local System will work if you configure the Kerberos constrained delegation to use the machine name account. The C2WTS service account requires special local permissions on each server the service runs on so be sure to configure these permissions each time the service is started on a server. Optimally you should configure the service account’s permissions on the local server before starting the C2WTS, but if done after the fact you can restart the C2WTS from the Windows services management console (services.msc). 

To start the C2WTS using Domain Account

1. Create a service account in Active Directory to run the service under. In this example, we have created 'vmlab\svcC2WTS'. 

2. Add an arbitrary Service Principal Name (SPN) to the service account to expose the delegation options for this account in Active Directory Users and 
 Computers. The SPN can be any format because we do not authenticate to the C2WTS using Kerberos authentication. It is recommended to not use an HTTP SPN to avoid potentially creating duplicate SPNs in your environment. In our example, we have registered 'SP/C2WTS' to the 'vmlab\svcC2WTS' using thefollowing command:



3. Configure Kerberos constrained delegation on the C2WTS services account. In his scenario we will delegate credentials to the SQL service running with the 'MSSQLSVC/MySqlCluster.vmlab.local:1433' service principal name.

Key configuration options on the delegation tab are the following (screenshot below):

a) Select “Trust this user for delegation to specified services only"

b) Select “Use any authentication protocol”






4.       Next, configure the required local server permissions that the C2WTS requires. You will need to configure these permissions on each server the C2WTS runs on. In our example this is VMSP10APP01. Log onto the server and give the C2WTS the following permissions:

a)      Add the service account to the local Administrators Groups.

b)      In local security policy (secpol.msc) under user rights assignment give the service account the following permissions:

                                          i.            Act as part of the operating system
                                          ii.            Impersonate a client after authentication
                                          iii.            Log on as a service

5.     Open Central Administration.

6.     Under Security->Configure Managed Service Accounts, Register the C2WTS service account as a managed account.



7.     Under services, select Manage services on server.



8. In the server selection box in the upper right hand corner, select the server(s) running SharePoint services application. In this example it is VMSP10APP01:



9.     Find the Claims to Windows Token Service and start it:



10.   Go to Security -> Manage Service Accounts page in Central administration. Change the identity of the C2WTS to the new managed account.





In addition, if you experience issues with the C2WTS after restarting the service it may also be required to reset the IIS application pools that communicate with the C2WTS.


To start the C2WTS using Local System

1. If C2WTS service account is using Local System, then the account in Active Directory will be the machine name account.

2. Add an arbitrary Service Principal Name (SPN) to the service account to expose the delegation options for this account in Active Directory Users and Computers. The SPN can be any format because we do not authenticate to the C2WTS using Kerberos authentication. It is recommended to not use an HTTP SPN to avoid potentially creating duplicate SPNs in your environment. In our example, we registered SP/C2WTS to the vmlab\VMSP10APP01$ for Local System account using the following command:


3. Configure Kerberos constrained delegation on the C2WTS services account or Machine Account. In his scenario we will delegate credentials to the SQL service running with the MSSQLSVC/MySqlCluster.vmlab.local:1433 service principal name.

Key configuration options on the delegation tab are the following:

a) Select “Trust this user for delegation to specified services only"
b) Select “Use any authentication protocol”





5. Under services, select Manage services on server.

6. In the server selection box in the upper right hand corner select the server(s) running SharePoint services application. In this example it is VMSP10APP01.

7. Find the Claims to Windows Token Service and start it:

8. Go to Security -> Manage Service Accounts page in Central administration. Change the identity of the C2WTS to the new managed account.


In addition, if you experience issues with the C2WTS after restarting the service it may also be required to reset the IIS application pools that communicate with the C2WTS.


Add Startup dependencies the WIF C2WTS service

There is a known issue with the C2WTS where it may not automatically startup successfully on system reboot. A workaround to the issue is to configure a service dependency on the Cryptographic Services service:

 

In addition, if you experience issues with the C2WTS after restarting the service it may also be required to reset the IIS application pools that communicate with the C2WTS.

1.       Open the Command Prompt window.

2.       Type: sc config "c2wts" depend= CryptSvc

Collapse this imageExpand this image

3.       Find the Claims to Windows Token Service in the services console.

4.       Open the properties for the service.



5.       Check the Dependencies tab. Make sure Cryptographic Services is listed.



6.       Click OK.