SharePoint 2013 - User identity pass-through delegation does not work with BCS and claims-mode authentication
2 minutes to read
In SharePoint 2010/2013 , user identity pass-through delegation will not work when a BCS External Content type (using a SQL Server Data source) is used in a web application with claims-based authentication (Windows authentication and Kerberos) configured.
When this Scenario is Configured , following message is still the message on a list based on the external content type for any user:
"Message from External System: Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'."
The same setup works perfectly in SharePoint Server 2010 and SharePoint Server 2013 when a web application is used that has Classic Mode / Windows Authentication / Kerberos configured.
Reason for this Behavior
The delegation related to BCS is described in the Scenario 9 of the white paper for Kerberos configuration (see the linked .doc file): http://technet.microsoft.com/en-us/library/ff829837(v=office.14).aspx . One of the Requirements for this to work is to Configure your web applications with classic Windows authentication using Kerberos authentication.
When we have A Web-app deployed in Claims mode on SharePoint 2010/2013, this will not work due to the Fact that BCS was never designed to leverage the Claims to Windows Token Service (C2WTS) and this is documented in the white paper. You can find more information on Claims to Windows Token Service (C2WTS) here.
This C2WTS service is used when claims is used as authentication mode to transfer the user identity that needs pass-through from a claims identity to a windows identity.
What to Do then ?
The only true workaround in case of Claims Mode Web-app here is to use Secure Store Service (SSS) with a target application of type "Individual" that is able to pass-through the user's identity via credential mappings.
Please be aware of this unwanted side effect of using Secure Store Identity
In the case of user credentials change (like scheduled password changes) the user either needs to re-enter his credentials via the list view which displays the needed form or on the administrative side actions can be taken to update the credential mappings in the Secure Store Service target application used by the BCS external content type on a regular basis.
Else a classic mode web application can be used, but by default in SharePoint Server 2013 through the UI administrators can only create claims mode web applications.