PowerPivotGeek » Security

Testing the Claims To Windows Token Service for different identities

powerpivotwahoo — Fri, 21 May 2010 15:54:00 +0000

As noted in a previous blog post on debugging “The data connection uses windows authentication and user credentials could not be delegated” there are times (very rare times) when the issue is a problem with your Active Directory configuration. I want to reiterate that this is rare and it is usually something as simple as the c2wts service is not running. However, we have now seen two cases of “mis-configured” Active Directories which have led to this problem. It can manifest itself as either you always get this error or you get this error for all users except a couple. To test and see if it is a problem with your Active Directory settings, I am including some code for you to compile and run. At a very low level in Excel Calculation Services, they take the User Principal Name of the interactive user and attempt to convert it to a WindowsIdentity token using c2wts. The code below attempts to do the exact same thing and then just checks for errors and tries to give you some useful information about it (it is derived from this). If you compile this application and test the interactive users by attempting to get their WindowsIdentity token and it succeeds for them, then the issue was one of the ones listed earlier in the post on data connection delegation issues. If acquiring the token fails, then you most likely have an AD issue. Dave, Denny and I will try to keep adding information about what the possible configuration errors could be, but here is some code so you can test this on your own and perhaps resolve the whole problem without having to call CSS.

Make sure to run this executable as the service account under which Excel Calculation Service is running. If you are not sure what account that is, first go to Central Admin’s “Security” page:

Then under “General Security” chose “Configure Service Accounts”:

In the drop down list on the right side you are looking for a “Service Application Pool” which contains your “Excel Services Application Web Service Application” (in the middle list). The account at the bottom would be the account you want to make sure you run the test application as to accurately simulate what ECS is doing when you are actually using SharePoint. Using the wrong account might give misleading results.

You must provide the User Principle Name (UPN) of the interactive user to the test application. All users have an implicit UPN which can be expressed as @ (I would be “leegr@redmond”). You may also have been given an explicit UPN which might look slightly different (although the implicit UPN would still work). If you are concerned that you are not using the right UPN, you can dig through the ULS log to find the UPN associated with the failure. This is the log entry that I got when I turned the c2wts service off:

SPSecurityContext.WindowsIdentity: Could not retrieve a valid windows identity for NTName=’REDMOND\leegr’, UPN=’leegr@microsoft.com’. UPN is required when Kerberos constrained delegation is used.

Note that the bit about “Kerberos” can be ignored because we do not require Kerberos constrained delegation to work (and neither does c2wts … it just returns a limited token in this case which is fine for us). Also, your log entry might look a bit different since I don’t know if they output different things to the log based on the exception type at this level.

To compile this code, you need to link to:

Microsoft.IdentityModel
System
System.Core
System.IdentityModel
System.ServiceModel

using System;
using System.Security.Principal;
using System.ServiceModel;
using System.ServiceModel.Security;
using Microsoft.IdentityModel.WindowsTokenService;

namespace C2WTSTest
{
    class Program
    {
        static void OutputUsage()
        {
            Console.WriteLine(“Usage:”);
            Console.WriteLine(“/tc2wtstest.exe ”);
            Console.WriteLine(“/tExample: c2wtstest.exe dwickert@redmond”);
        }

        static void Main(string[] args)
        {
            if ((args.Length != 1) || (string.Compare(args[0], “/?”) == 0) || (string.Compare(args[0], “-?”) == 0) || (string.Compare(args[0], “?”) == 0))
            {
                OutputUsage();
                return;
            }

string upn = args[0];

            WindowsIdentity windowsIdentity = null;
            if (!String.IsNullOrEmpty(upn))
            {
                try
                {
                    Console.WriteLine(“Attempting to acquire windows identity for upn: ‘{0}’”, upn);
                    windowsIdentity = S4UClient.UpnLogon(upn);
                }
                catch (SecurityAccessDeniedException)
                {
                    Console.WriteLine(“Could not map the upn claim to a valid windows identity. Security Access Denied”);
                    return;
                }
                catch (EndpointNotFoundException)
                {
                    Console.WriteLine(“Could not map the upn claim to a valid windows identity because the c2wts service was unavailable”);
                    return;
                }
                catch (FaultException e)
                {
                    Console.WriteLine(“Could not map the upn claim to a valid windows identity because the c2wts service returned a fault”);
                    Console.WriteLine(e.ToString());
                    return;
                }
                catch (Exception e)
                {
                    Console.WriteLine(“Could not map the upn claim to a valid windows identity because of an unexpected exception”);
                    Console.WriteLine(e.ToString());
                    return;
                }
            }
            else
            {
                throw new Exception(“No UPN claim found”);
            }

            using (WindowsImpersonationContext ctxt = windowsIdentity.Impersonate())
            {
                Console.WriteLine(“Successfully acquired token and impersonated user: ‘{0}’”, WindowsIdentity.GetCurrent().Name);
            }

}
}
}

HTH
Lee

The data connection uses Windows Authentication and user credentials could not be delegated

powerpivotwahoo — Tue, 09 Feb 2010 00:30:15 +0000

This is one of the two main errors that users could see from Excel Services when using PowerPivot. This is encountered when refreshing PowerPivot data connections or performing an action which requires re-querying the PowerPivot database, such as clicking on a slicer or expanding a node in a pivot table. To debug, some level of understanding of what Excel Services is doing is required. For this, I recommend reading an earlier post on this blog by Dave … http://powerpivotgeek.com/2009/12/11/excel-services-delegation/. In general, this is an add-on to Dave’s post which is a quick summary of how to debug this error.

Here is a quick list of most likely causes for this error and how to debug and fix them (in order based on my experience of likelihood to be the root cause):

Is the Claims to Windows Token Service started on the server running Excel Calculation Service (ECS)? For detailed information on the Claims to Windows Token Service (c2wts), you can read the msdn article. This service is turned on when doing a “New Farm” installation of PowerPivot, but if you do an “Existing Farm” installation, or have Excel Calculation Service (ECS) running on a different machine, the Claims to Windows Token Service might not be started. Check to make sure that this service is running on every server on which ECS is running. You can validate this via the “Services on Server” option in SharePoint’s Central Administration web site but it is also important to make sure that this is running from Service Control Manager (SCM accessed via services.msc). There is a known issue after reboot where the c2wts fails to start because of an unexpressed startup dependency on the crypto service. I will add a link to the KB when it is available but until then you can add the dependency manually from SCM or from an administrative command prompt with “sc.exe config c2wts depend= cryptsvc”.This will prevent the problem from reappearing after your next reboot. As per http://powerpivotgeek.com/2010/01/18/why-you-shouldnt-stop-start-analysis-services-from-scm-when-running-in-sharepoint-integration-mode/, you should not manage SharePoint services from SCM, however SCM is the truth when it comes to whether a service is running and so you should always double check by looking at the state in SCM. If SharePoint indicates that the service is started but it is not actually running per SCM, it is safe to start it from SCM (alternatively you could stop and start it from SharePoint Central Administration). As well as simply managing this service, SharePoint configures the security permissions for this service automatically as part of their setup so that all SharePoint Shared Services (which includes ECS) can use it. If you find that the service is stopped on the machine running ECS, start it. After starting this service, you should not need to do any type of IisReset to see the system start working.
Is your machine connected to the network? Dave has written a good blog on this also (http://powerpivotgeek.com/2009/11/06/taking-your-server-off-the-network/). If you are actually trying to run a PowerPivot demo with a machine which is not on the network, follow the steps in Dave’s blog to configure ECS to use a set of stored credentials for the PowerPivot datasource. If you are not doing this on purpose, then connect back to the network.
The final cause would be that for some reason other than network connectivity, the Claims to Windows Token Service is not able to convert the SAML claims token to a Windows User security token. Dave provides a lot of details on these potential issues. Some quick questions to ask yourself:
- Is the client user account (the logged in user who is browsing the workbook in IE) a domain account? If the account is a local machine account, then the Claims to Windows Token service will not be able to retrieve a Windows user security token. We do not support this scenario in V1 of PowerPivot. Interactive users must be domain users. For demo purposes in a bind you might try the workaround Dave provided for taking the server off of the network, but I have not personally tested it in this case.
- Is the client user account in a different domain than the SharePoint servers? This is completely supported, but there must be a trust relationship established between the two domains. You could verify if a missing trust issue is causing your problems by logging in as a user account in the same domain as the SharePoint servers and try interacting with the workbooks (note that you had to have given that user access to the workbook). If it works for users in the same domain but not for users in other domains, it might be an issue with cross domain trust. Contact your domain admin to figure out what the relationships are setup as.
- What account is the Claims to Windows Token Service running as? By default it is configured to run as Local System, and I am not aware of the reasons for changing this configuration (the msdn article also refers to the fact that it should be running as Local System). While there might be a good reason for trying to change it, it is possible that the person who altered it did not understand the implications of this change. You should probably track down the person who changed it and get an understanding of why. If you have permissions, switch it back to Local System and try the scenario again. If it works, you will need to determine why it was changed in the first place.
- If you have gotten this far and none of the above have solved your issue, then there is the possibility that you have some custom AD configuration which is causing the issue. Dave points out one possibility:
  
  The account being used as the Excel Services service account must have AD rights to be able to query the object. One place where we know this restriction comes into play is if you have configured your domain controller to have a subgroup under “Users”, e.g. “Service Accounts”, which is a separate AD group that derives from “Users” –> but I am sure that there are more. AD rights for service accounts is a common problem across all of SharePoint.
  
  What Dave describes is one possibility where an AD configuration could cause this issue. As we discover more potential AD configurations that could cause this issue, we will try to update this list. If you are comfortable building your own test application and have gotten this far without figuring it out (and feel very confident that it is not #1), you can try running the test application we have posted here to manually test your ability to acquire a Windows Identity.

Hopefully this list will help you quickly debug and fix this issue on your system. HTH

Lee

Excel Services delegation

powerpivotgeek — Fri, 11 Dec 2009 23:56:00 +0000

I am inspired by a recent post from a colleague about the various issues that can come up with Excel Services delegation (see a Denny Lee’s blog here: http://dennyglee.com/2009/11/18/troubleshooting-powerpivot-excel-services-connectivity/) and I wanted to take it a bit further (and maybe a bit ‘geekie’-er)

First, why is this a problem? After all, as you can see in Denny’s post, you can see the workbook and you even have a thumbnail for it in the Gallery. What’s up here? The core of the problem is that unless you’ve set the connection to refresh when you first open the workbook, Excel Services uses its pivot cache to construct the pivot table and slicers. It is only if you manually refresh the connection, or click on a slicer, that you make an actual connection to the embedded data. Until then you are just looking at cached information. Until you click on a slicer, you don’t really know if Excel Services is working – so a strong recommendation that I make to any person doing a validating their installation is to “ALWAYS CLICK ON A SLICER” if you want to make sure that your installation is working properly.

Ok, so now we’ve hit the problem. And you get the dredged “An error occurred during an attempt to establish a connection to the external data source.

The issue is (get your geek-armor ready) is that when accessing data PowerPivot looks like just another data source to both Excel desktop and Excel Services. Prior to accessing the data, if using Windows authentication, Excel Services needs to impersonate the user on the calling thread. But, in a claims-aware world, the only ‘identity’ that Excel Services has is the claims token. When the user connects (in whatever authentication method the SharePoint Web Application allows), the first thing that SharePoint does on the web front end is to translate the authentication method’s user identity to a claims token. And it is that claims token that is passed around within the farm. Remember this dialog box within Excel desktop:

The setting tells Excel Services what kind of lookup to perform when a new connection is started:

‘None’ means to use the Unattended Execution Account specified for the Excel Services service application being used by this connection. The username and password are retrieved from Secure Store. Using these credentials, Excel Services does a Windows logon and then it calls the data provider (the msolap OLEDB provider in the case of PowerPivot).
‘SSS’ means that Excel Services should access its Secure Store service application. The username and password are retrieved from Secure Store using this Application ID. Using these credentials, Excel Services does a Windows logon and then it calls the data provider Using and Excel Services does a Windows logon and then calls the data provider.
‘Windows Authentication’ (which is both the default and our case today) means that Excel Services should use the interactive user’s Windows identity. The original Windows token for the user is looked up, Excel Services impersonates that user on the calling thread and then calls the data provider.

In the case of Windows Authentication, to perform the lookup, Excel Services uses the “Geneva to Windows Token Service” (GTS) provided by SharePoint. GTS takes the claims token of the caller and translates it to the Windows identity of the caller (the underlying Windows API that is uses for this is S4U (see here: xx). Unfortunately S4U does have its restrictions, and those restrictions are the heart of the “Cannot Delegate” error message that we are seeing. GTS requires:

A domain controller must be available to validate the logon. GTS cannot use cached credentials. It has to validate the login token on every connection. This obviously has performance implications, but fortunately it isn’t on very query; but just when the connection is established. This is easy to see (and it was the way that I generated the error message box above) –> just unplug the network from your laptop. You see that you can use SharePoint and Excel Services for everything using cached credentials until you go to Excel Services and try to connect to any data source (PowerPivot included) using Windows authentication.
The server must be a member of the same domain as the caller; or there must be a two-way trust relationship between the domains. This means that a common Windows 2000 domain architecture cannot be used by GTS.
The caller cannot be a local machine account. GTS only understands how to talk to domain controllers.
The account being used as the Excel Services service account must have AD rights to be able to query the object. One place where we know this restriction comes into play is if you have configured your domain controller to have a subgroup under “Users”, e.g. “Service Accounts”, which is a separate AD group that derives from “Users” –> but I am sure that there are more. AD rights for service accounts is a common problem across all of SharePoint.

So – this is happening to you – you cannot delegate credentials. What are your options? First, you could fix the problem so the restriction no longer holds, e.g. you could establish a two-way trust between the domains rather than a one-way trust, but this is likely not a doable approach because you probably have business justifications for why the configuration was done this way. A second alternative is that you could switch to “None” as the authentication, this is how the “off-the-network” blog entry that I wrote, see http://powerpivotgeek.com/2009/11/06/taking-your-server-off-the-network/. This is straightforward and easy to implement, but it lacks the strong security enforcement of Windows authentication and it is a more general account. So there will likely be business issues with that approach also.

Watch out, your domain might be showing . . .

powerpivotgeek — Tue, 24 Nov 2009 18:27:17 +0000

Several new SharePoint 2010 configuration issues will impacting some PowerPivot sites and I wanted to share them with you. These restrictions are with Excel Services and have to do with the way that Windows authentication is handled, i.e. you have set the Excel Services authentication set to “Windows”, not using Secure Store or “None”. This impacts PowerPivot because Excel Services treats PowerPivot as a data source. The restrictions are not limited to just PowerPivot – they apply across the board for all Excel Services data sources.

First, Excel Services requires that a domain controller be available for data access when using Windows authentication for a connection (see my earlier posting, http://powerpivotgeek.com/2009/11/06/taking-your-server-off-the-network/). Interestingly it isn’t Excel Services specifically that has this requirement, rather it is the SharePoint infrastructure component called the Geneva Token Service (GTS) that Excel Services uses requires access to the domain controller for a S4U logon to impersonate the Windows user. S4U cannot use cached credentials.

The second restriction is also a consequence of GTS. GTS requires that all domains have two-way trust relationships in order to perform its logons. A common old-style domain configuration is to have a single dedicated “account” domain (where users live) – and then multiple “resource” domains (where your servers, printers and other resources live). Typically the resource domains trust the account domain; but the account domain does not trust the resource domains (a so-called ‘one-way trust’). Service accounts live in the resource domains and thus do not have account-level access. This is a good thing. Many of the Microsoft lab domains work this way. Unfortunately if you install SharePoint in such an environment, you will find that Excel Services returns an error: “The data connection uses Windows Authentication and Excel Services is unable to delegate user credentials.“ SharePoint requires a two-way trust between domains if your machine lives in one domain and your users live in another.

A Peek Inside: Why are domain accounts needed?

powerpivotgeek — Thu, 19 Nov 2009 04:39:40 +0000

Have you ever had to do something that you knew (you just KNEW) that lots of folks were going to scream – and scream loud – about? This is one of those cases – I can just feel it!

Ok, here goes. There have been several recent newsgroups postings concerning why we require domain accounts to install PowerPivot for SharePoint. Why must the farm account and the various service accounts be domain accounts. This causes lots of heartache for users that want to install demo or evaluation servers because we don’t support a standalone server. Well, we do support standalone, but it a different kind of standalone. Let’s get right into it.

First, let’s compare and contrast this requirement with SharePoint. SharePoint has two types of installations: standalone (which they do NOT support in production) and complete/farm. The standalone installation is for demo and evaluation purposes only. It has uses NETWORK SERVICE as the service account for many of its internal processes. It is right up front that it is NOT expandable into a production system; it has security issues acting across servers; etc. However, it gives you a nice “toy” to play with. Let’s be right up front about it – PowerPivot does not install nor does it support a SharePoint standalone server installation. And, oh while we are on the subject, SharePoint does not support local machine accounts within a farm configuration. In the SharePoint world, once you go to domains – you go all of the way with domains.

PowerPivot’s philosophy for the NEW FARM case is that it is a complete farm that just happens right now to be on a single machine. We take a production-view of the single server. We would expect that it would natural that at some time in the future that the SharePoint administrator would move the content and config databases off of this server and put them on their own dedicated SQL Server machine. After all, this is a best practice for SharePoint to have a dedicated (or consolidated) SQL resource off of the WFE and App Servers. And just as the RDBMS traffic is very likely to grow beyond a single combined “all-in-one” server; so would the app server requirements continue to grow and it is perfectly natural for a second, third or more app server to be added to the farm; likewise as the server becomes more main stream, there is a high-availability requirement that will become more important and multiple WFEs will be come important.

The bottom like is that proper capacity planning begins with your first installation. And thus we require domain accounts right from the very beginning.

Yes, this does impact those folks who are doing demos and evaluation. You have two options: (1) install a domain controller on your image and thus local accounts are domain account; or (2) install the server into a domain and possibly then disconnect from it (see an earlier posting from me on this topic). Approach #1 is what most users do. If you look at all of the “All-Up” VMs that Microsoft produces for other products, you will see that a self-contained domain within the VM is the way that most folks go. I personally use technique #2 because I do demos in a very constrained environment and having to modify the workbooks that I am demoing with is fine.

< OK – Let the screaming begin >