Comments on: Testing the Claims To Windows Token Service for different identities http://powerpivotgeek.com/2010/05/21/testing-the-claims-to-windows-token-service-for-different-identities/ An adventure in managed self-service computing Sun, 22 Jan 2012 01:58:55 +0000 http://wordpress.org/?v=2.9.2 hourly 1 By: Lee http://powerpivotgeek.com/2010/05/21/testing-the-claims-to-windows-token-service-for-different-identities/comment-page-1/#comment-6362 Lee Fri, 16 Sep 2011 21:31:06 +0000 http://powerpivotgeek.com/2010/05/21/testing-the-claims-to-windows-token-service-for-different-identities/#comment-6362 Very delayed response, but it seems that Rupak was compiling using .Net 4.0. Since SharePoint uses .Net 3.5, you should compile this code against .Net 3.5 to most accurately simulate SharePoint environment. So change the project settings when building this to make sure you are using .Net 3.5 Thanks Lee Very delayed response, but it seems that Rupak was compiling using .Net 4.0. Since SharePoint uses .Net 3.5, you should compile this code against .Net 3.5 to most accurately simulate SharePoint environment. So change the project settings when building this to make sure you are using .Net 3.5

Thanks
Lee

]]> By: Excel Services Delegation Tips to Configure Page and Slicer Refresh with Power Pivot « Jimblog http://powerpivotgeek.com/2010/05/21/testing-the-claims-to-windows-token-service-for-different-identities/comment-page-1/#comment-3902 Excel Services Delegation Tips to Configure Page and Slicer Refresh with Power Pivot « Jimblog Wed, 02 Feb 2011 18:56:07 +0000 http://powerpivotgeek.com/2010/05/21/testing-the-claims-to-windows-token-service-for-different-identities/#comment-3902 [...] feel very confident that it is not #1), you can try running the test application we have posted here to manually test your ability to acquire a Windows Identity.   UPDATE: Okay we have [...] [...] feel very confident that it is not #1), you can try running the test application we have posted here to manually test your ability to acquire a Windows Identity.   UPDATE: Okay we have [...]

]]> By: Rupak http://powerpivotgeek.com/2010/05/21/testing-the-claims-to-windows-token-service-for-different-identities/comment-page-1/#comment-3571 Rupak Wed, 12 Jan 2011 12:52:48 +0000 http://powerpivotgeek.com/2010/05/21/testing-the-claims-to-windows-token-service-for-different-identities/#comment-3571 Hi Lee, code snippet given by you above does not compile on my laptop. VS2010 tells The name "'S4UClient' does not exist in the current context". I am on Windows Server 2008 R2 x64. looking at the namespace of WindowsTokenService it looks like 'S4UClient' class evolved to 'IS4UService' interface and UpnLogon() takes one more argument as pid. Can you please suggest me how to get the test app working? thanks, Rupak. Hi Lee, code snippet given by you above does not compile on my laptop.
VS2010 tells The name “‘S4UClient’ does not exist in the current context”. I am on Windows Server 2008 R2 x64.
looking at the namespace of WindowsTokenService it looks like ‘S4UClient’ class evolved to ‘IS4UService’ interface and UpnLogon() takes one more argument as pid.

Can you please suggest me how to get the test app working?

thanks,
Rupak.

]]> By: Lee http://powerpivotgeek.com/2010/05/21/testing-the-claims-to-windows-token-service-for-different-identities/comment-page-1/#comment-3545 Lee Tue, 11 Jan 2011 03:23:56 +0000 http://powerpivotgeek.com/2010/05/21/testing-the-claims-to-windows-token-service-for-different-identities/#comment-3545 Hi Markus, Are you able to get it to work with any account? Did you make sure you ran the test as the same account as ECS runs as? Did you try a super user? Let me know. Hi Markus,
Are you able to get it to work with any account? Did you make sure you ran the test as the same account as ECS runs as? Did you try a super user? Let me know.

]]> By: Markus Schmidt http://powerpivotgeek.com/2010/05/21/testing-the-claims-to-windows-token-service-for-different-identities/comment-page-1/#comment-3502 Markus Schmidt Thu, 06 Jan 2011 00:00:06 +0000 http://powerpivotgeek.com/2010/05/21/testing-the-claims-to-windows-token-service-for-different-identities/#comment-3502 Hi Lee, thanx for the code. I tried it here in our AD and get the error message stated below. Do you think this is an AD issue? Thanx in advance Markus PS C:\> .\C2WTSTest.exe marsch@corp Attempting to acquire windows identity for upn: 'marsch@corp' Could not map the upn claim to a valid windows identity because the c2wts servic e returned a fault System.ServiceModel.FaultException`1[System.ServiceModel.ExceptionDetail]: WTS00 03: The caller is not authorized to access the service. (Fault Detail is equal t o An ExceptionDetail, likely created by IncludeExceptionDetailInFaults=true, who se value is: System.UnauthorizedAccessException: WTS0003: The caller is not authorized to acc ess the service. at Microsoft.IdentityModel.WindowsTokenService.CallerSecurity.CheckCaller(Win dowsIdentity callerIdentity) at Microsoft.IdentityModel.WindowsTokenService.S4UServiceContract.PerformLogo n(Func`1 logonOperation, Int32 pid) at SyncInvokeUpnLogon(Object , Object[] , Object[] ) at System.ServiceModel.Dispatcher.SyncMethodInvoker.Invoke(Object instance, O bject[] inputs, Object[]& outputs) at System.ServiceModel.Dispatcher.DispatchOperationRuntime.InvokeBegin(Messag eRpc& rpc) at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage5(Me ssageRpc& rpc) at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage31(M essageRpc& rpc) at System.ServiceModel.Dispatcher.MessageRpc.Process(Boolean isOperationConte xtSet)). PS C:\> Hi Lee,

thanx for the code. I tried it here in our AD and get the error message stated below. Do you think this is an AD issue?

Thanx in advance
Markus

PS C:\> .\C2WTSTest.exe marsch@corp
Attempting to acquire windows identity for upn: ‘marsch@corp’
Could not map the upn claim to a valid windows identity because the c2wts servic
e returned a fault
System.ServiceModel.FaultException`1[System.ServiceModel.ExceptionDetail]: WTS00
03: The caller is not authorized to access the service. (Fault Detail is equal t
o An ExceptionDetail, likely created by IncludeExceptionDetailInFaults=true, who
se value is:
System.UnauthorizedAccessException: WTS0003: The caller is not authorized to acc
ess the service.
at Microsoft.IdentityModel.WindowsTokenService.CallerSecurity.CheckCaller(Win
dowsIdentity callerIdentity)
at Microsoft.IdentityModel.WindowsTokenService.S4UServiceContract.PerformLogo
n(Func`1 logonOperation, Int32 pid)
at SyncInvokeUpnLogon(Object , Object[] , Object[] )
at System.ServiceModel.Dispatcher.SyncMethodInvoker.Invoke(Object instance, O
bject[] inputs, Object[]& outputs)
at System.ServiceModel.Dispatcher.DispatchOperationRuntime.InvokeBegin(Messag
eRpc& rpc)
at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage5(Me
ssageRpc& rpc)
at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage31(M
essageRpc& rpc)
at System.ServiceModel.Dispatcher.MessageRpc.Process(Boolean isOperationConte
xtSet)).
PS C:\>

]]> By: powerpivotgeek http://powerpivotgeek.com/2010/05/21/testing-the-claims-to-windows-token-service-for-different-identities/comment-page-1/#comment-1675 powerpivotgeek Wed, 18 Aug 2010 03:32:56 +0000 http://powerpivotgeek.com/2010/05/21/testing-the-claims-to-windows-token-service-for-different-identities/#comment-1675 More AD issues are discussed here: http://dennyglee.com/2010/04/08/user-credentials-could-not-be-delegated-and-active-directory/ Enjoy! More AD issues are discussed here:
http://dennyglee.com/2010/04/08/user-credentials-could-not-be-delegated-and-active-directory/

Enjoy!

]]> By: Heath Hopkins http://powerpivotgeek.com/2010/05/21/testing-the-claims-to-windows-token-service-for-different-identities/comment-page-1/#comment-1578 Heath Hopkins Wed, 28 Jul 2010 19:14:39 +0000 http://powerpivotgeek.com/2010/05/21/testing-the-claims-to-windows-token-service-for-different-identities/#comment-1578 Thanks, Lee. This saved a ton of troubleshooting time. Thanks, Lee. This saved a ton of troubleshooting time.

]]> By: Lee http://powerpivotgeek.com/2010/05/21/testing-the-claims-to-windows-token-service-for-different-identities/comment-page-1/#comment-1558 Lee Thu, 22 Jul 2010 20:52:22 +0000 http://powerpivotgeek.com/2010/05/21/testing-the-claims-to-windows-token-service-for-different-identities/#comment-1558 Vincent, If you are getting this error for all "normal" domain accounts but it does work for "power user" accounts, then it appears you have an issue with your AD configuration. I am not really an AD expert unfortunately. Denny has a good writeup on a case where he hit this issue and used the above code and what they found to be the problem and how they resolved it (http://dennyglee.com/2010/04/08/user-credentials-could-not-be-delegated-and-active-directory/). Perhaps that will give you some pointers. You will need, though, in the end to do some experimentation / investigation with your AD configuration. Let me know if I can help anymore and please post here when you find the result to help others. Thanks Lee Vincent,
If you are getting this error for all “normal” domain accounts but it does work for “power user” accounts, then it appears you have an issue with your AD configuration. I am not really an AD expert unfortunately. Denny has a good writeup on a case where he hit this issue and used the above code and what they found to be the problem and how they resolved it (http://dennyglee.com/2010/04/08/user-credentials-could-not-be-delegated-and-active-directory/). Perhaps that will give you some pointers. You will need, though, in the end to do some experimentation / investigation with your AD configuration. Let me know if I can help anymore and please post here when you find the result to help others.

Thanks
Lee

]]> By: Vincent http://powerpivotgeek.com/2010/05/21/testing-the-claims-to-windows-token-service-for-different-identities/comment-page-1/#comment-1556 Vincent Thu, 22 Jul 2010 04:21:18 +0000 http://powerpivotgeek.com/2010/05/21/testing-the-claims-to-windows-token-service-for-different-identities/#comment-1556 I tried this test code. And I get "Could not map the upn claim to a valid windows identity. Security Access Denied". I get this error message for all normal domain accounts. When I try a domain power user account it will success. What should I do next? Thanks! I tried this test code. And I get “Could not map the upn claim to a valid windows identity. Security Access Denied”. I get this error message for all normal domain accounts. When I try a domain power user account it will success. What should I do next? Thanks!

]]> By: The data connection uses Windows Authentication and user credentials could not be delegated « PowerPivotGeek http://powerpivotgeek.com/2010/05/21/testing-the-claims-to-windows-token-service-for-different-identities/comment-page-1/#comment-1138 The data connection uses Windows Authentication and user credentials could not be delegated « PowerPivotGeek Fri, 21 May 2010 15:59:43 +0000 http://powerpivotgeek.com/2010/05/21/testing-the-claims-to-windows-token-service-for-different-identities/#comment-1138 [...] feel very confident that it is not #1), you can try running the test application we have posted here to manually test your ability to acquire a Windows [...] [...] feel very confident that it is not #1), you can try running the test application we have posted here to manually test your ability to acquire a Windows [...]

]]>