Claims to Windows Token Service (C2WTS)

  • Article

The SharePoint Claims to Windows Token Service (C2WTS) will be required if you want to use windows authentication for Data Sources that are outside the SharePoint farm. This is true even if the user accesses the data sources with Windows Authentication because the communication between the web front-end (WFE) and the Reporting Services shared service will always be Claims authentication.

C2WTS is needed even if your data source(s) are on the same computer as the shared service. However in this scenario, constrained delegation is not needed.

The tokens created by C2WTS will only work with constrained delegation (constrains to specific services) and the configuration option "using any authentication protocol". As noted earlier, if your data sources are on the same computer as the shared service, then constrained delegation is not needed.

If your environment will use Kerberos constrained delegation, then the SharePoint Server service and external data sources need to reside in the same Windows domain.  Any service that relies on the Claims to Windows token service (C2WTS) must use Kerberos constrained delegation to allow C2WTS to use Kerberos protocol transition to translate claims into Windows credentials. These requirements are true for all SharePoint Shared Services. For more information, see Overview of Kerberos authentication for Microsoft SharePoint 2010 Products (https://technet.microsoft.com/en-us/library/gg502594.aspx).

The procedure is summarized below, but this is not a complete list of detailed steps.

Prerequisites

Note

Note: Some of the configuration steps may change, or may not work in certain farm topologies. For instance, a single server install does not support the Windows Identity Foundation C2WTS services so claims to windows token delegation scenarios are not possible with this farm configuration.

Basic steps needed to configure C2WTS

  1. Configure the service account you plan you use for C2WTSThe account you use for C2WTS needs the following local policy rights:

    • Act as part of the operating system

    • Impersonate a client after authentication

    • Log on as a service

    The account you use for C2WTS also needs to be configured for Constrained Delegation with Protocol Transitioning and needs permissions to delegate to the Services it is required to communicate with (i.e. SQL Server Engine, SQL Server Analysis Services).To configure delegation you can use the Active Directory Users and Computer snap-in.

    1. Right-click each service account and open the properties dialog. In the dialog click the Delegation tab.

      Note

      Note: the delegation tab is only visible if the object has an SPN assigned to it. C2WTS does not require an SPN on the C2WTS Account, however, without an SPN, the Delegation tab will not be visible. An alternative way to configure constrained delegation is to use a utility such as ADSIEdit.

    2. Key configuration options on the delegation tab are the following:

      • Select “Trust this user for delegation to specified services only”

      • Select “Use any authentication protocol”

      For more information, see the “configure Kerberos constrained delegation for computers and service accounts” section of the following white paper, Configuring Kerberos authentication for SharePoint 2010 and SQL Server 2008 R2 products

  2. Configure C2WTS ‘AllowedCallers’

    C2WTS requires the ‘callers’ identities explicitly listed in the configuration file, c2wtshost.exe.config. C2WTS does not accept requests from all authenticated users in the system unless it is configured to do so. In this case the ‘caller’ is the WSS_WPG Windows group. The c2wtshost.exe.confi file is saved in the following location:

    \Program Files\Windows Identity Foundation\v3.5\c2wtshost.exe.config

    The following is an example of the configuration file:

    <configuration>
  <windowsTokenService>
    <!--
        By default no callers are allowed to use the Windows Identity Foundation Claims To NT Token Service.
        Add the identities you wish to allow below.
      -->
    <allowedCallers>
      <clear/>
      <add value="WSS_WPG" />
    </allowedCallers>
  </windowsTokenService>
</configuration>

  3. Start the operating system C2WTS service:

    1. Configure the service to use the service account you configured in the previous step.

    2. Change the Startup type to “Automatic” and start the service.

  4. Start the SharePoint ‘Claims to Windows Token Service’: Start the Claims to Windows Token Service through SharePoint Central Administration on the Manage Services on Server page. The service should be started on the server that will be performing the action. For example if you have a server that is a WFE and another server that is an Application Server that has the Reporting Services shared service running, you only need to start C2WTS on the Application Server. C2WTS is not needed on the WFE.

See Also

Other Resources

Claims to Windows Token Service (c2WTS) Overview (https://msdn.microsoft.com/en-us/library/ee517278.aspx)

Overview of Kerberos authentication for Microsoft SharePoint 2010 Products (https://technet.microsoft.com/en-us/library/gg502594.aspx)