How to configure Claim to Windows Token Services in SharePoint 2010 with Kerberos Authentication

Article ID: 2722087 - View products that this article applies to.
Expand all | Collapse all

Summary

This article describes some common Kerberos configuration issues with Claims to Windows Token Services (C2WTS) that occurs when setting up SharePoint service application with Kerberos.

More information


The Claims to Windows Token Service (C2WTS) is a component of the Windows Identity Foundation (WIF) which is responsible for converting user claim tokens to windows tokens. Excel services uses the C2WTS to convert the user’s claims token into a windows token when the services needs to delegate credentials to a back-end system which uses Integrated Windows authentication. WIF is deployed with SharePoint Server 2010 and the C2WTS can be started from Central Administration.

Each SharePoint service application must run the C2WTS locally. The C2WTS does not open any ports and cannot be accessed by a remote caller. Further, the C2WTS service configuration file must be configured to specifically trust the local calling client identity. 

As a best practice you should run the C2WTS using a dedicated service account and not as Local System (the default configuration). But Local System will work if you configure the Kerberos constrained delegation to use the machine name account. The C2WTS service account requires special local permissions on each server the service runs on so be sure to configure these permissions each time the service is started on a server. Optimally you should configure the service account’s permissions on the local server before starting the C2WTS, but if done after the fact you can restart the C2WTS from the Windows services management console (services.msc). 

To start the C2WTS using Domain Account

1. Create a service account in Active Directory to run the service under. In this example, we have created 'vmlab\svcC2WTS'. 

2. Add an arbitrary Service Principal Name (SPN) to the service account to expose the delegation options for this account in Active Directory Users and 
 Computers. The SPN can be any format because we do not authenticate to the C2WTS using Kerberos authentication. It is recommended to not use an HTTP SPN to avoid potentially creating duplicate SPNs in your environment. In our example, we have registered 'SP/C2WTS' to the 'vmlab\svcC2WTS' using thefollowing command:


Collapse this tableExpand this table
SetSPN -S SP/C2WTS vmlab\svcC2WTS

3. Configure Kerberos constrained delegation on the C2WTS services account. In his scenario we will delegate credentials to the SQL service running with the 'MSSQLSVC/MySqlCluster.vmlab.local:1433' service principal name.

Key configuration options on the delegation tab are the following (screenshot below):

a) Select “Trust this user for delegation to specified services only"

b) Select “Use any authentication protocol”


Collapse this imageExpand this image
2722508


Collapse this tableExpand this table
Note:
In the example above we see that we have added delegation to a SQL Server SPN. It could be set to any SPN. The C2WTS does not delegate any identity to SQL. C2WTS just gets a Windows identity from a UPN. C2WTS needs to be able to create a token that can be delegated which means, it needs to have the UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION bit set… To have the UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION bit set, you need to have the C2WTS identity having the constrained delegation with protocol transitioning enabled but it can be to any SPN (even a dummy one).


4.       Next, configure the required local server permissions that the C2WTS requires. You will need to configure these permissions on each server the C2WTS runs on. In our example this is VMSP10APP01. Log onto the server and give the C2WTS the following permissions:

a)      Add the service account to the local Administrators Groups.

b)      In local security policy (secpol.msc) under user rights assignment give the service account the following permissions:

                                          i.            Act as part of the operating system
                                          ii.            Impersonate a client after authentication
                                          iii.            Log on as a service

5.     Open Central Administration.

6.     Under Security->Configure Managed Service Accounts, Register the C2WTS service account as a managed account.

Collapse this imageExpand this image
2722509


7.     Under services, select Manage services on server.

Collapse this imageExpand this image
2722510


8. In the server selection box in the upper right hand corner, select the server(s) running SharePoint services application. In this example it is VMSP10APP01:

Collapse this imageExpand this image
2722511


9.     Find the Claims to Windows Token Service and start it:

Collapse this imageExpand this image
2722512


10.   Go to Security -> Manage Service Accounts page in Central administration. Change the identity of the C2WTS to the new managed account.

Collapse this imageExpand this image
2722513


Collapse this tableExpand this table
 Note:
If the C2WTS was already running before configuring the dedicated service account, or if you need to changes the permissions of the service account after the C2WTS is running you must restart the C2WTS from the services console.


In addition, if you experience issues with the C2WTS after restarting the service it may also be required to reset the IIS application pools that communicate with the C2WTS.


To start the C2WTS using Local System

1. If C2WTS service account is using Local System, then the account in Active Directory will be the machine name account.

2. Add an arbitrary Service Principal Name (SPN) to the service account to expose the delegation options for this account in Active Directory Users and Computers. The SPN can be any format because we do not authenticate to the C2WTS using Kerberos authentication. It is recommended to not use an HTTP SPN to avoid potentially creating duplicate SPNs in your environment. In our example, we registered SP/C2WTS to the vmlab\VMSP10APP01$ for Local System account using the following command:

Collapse this tableExpand this table
SetSPN -S SP/C2WTS vmlab\VMSP10APP01$

3. Configure Kerberos constrained delegation on the C2WTS services account or Machine Account. In his scenario we will delegate credentials to the SQL service running with the MSSQLSVC/MySqlCluster.vmlab.local:1433 service principal name.

Key configuration options on the delegation tab are the following:

a) Select “Trust this user for delegation to specified services only"
b) Select “Use any authentication protocol”

Collapse this imageExpand this image
2725864




5. Under services, select Manage services on server.

6. In the server selection box in the upper right hand corner select the server(s) running SharePoint services application. In this example it is VMSP10APP01.

7. Find the Claims to Windows Token Service and start it:

8. Go to Security -> Manage Service Accounts page in Central administration. Change the identity of the C2WTS to the new managed account.

Collapse this tableExpand this table
Note:
If the C2WTS was already running before configuring the dedicated service account, or if you need to changes the permissions of the service account after the C2WTS is running you must restart the C2WTS from the services console.

In addition, if you experience issues with the C2WTS after restarting the service it may also be required to reset the IIS application pools that communicate with the C2WTS.


Add Startup dependencies the WIF C2WTS service

There is a known issue with the C2WTS where it may not automatically startup successfully on system reboot. A workaround to the issue is to configure a service dependency on the Cryptographic Services service:

Collapse this imageExpand this image
2722952
 

In addition, if you experience issues with the C2WTS after restarting the service it may also be required to reset the IIS application pools that communicate with the C2WTS.

1.       Open the Command Prompt window.

2.       Type: sc config "c2wts" depend= CryptSvc

Collapse this imageExpand this image
2722953



3.       Find the Claims to Windows Token Service in the services console.

4.       Open the properties for the service.

Collapse this imageExpand this image
2722954


5.       Check the Dependencies tab. Make sure Cryptographic Services is listed.

Collapse this imageExpand this image
2722955


6.       Click OK.

Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use for other considerations.

Properties

Article ID: 2722087 - Last Review: September 17, 2012 - Revision: 4.0
Applies to
  • Microsoft SharePoint Foundation 2010
  • Microsoft SharePoint Server 2010
Keywords: 
KB2722087

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com