SharePoint 2013 - User identity pass-through delegation does not work with BCS and claims-mode authentication

In SharePoint 2010/2013 , user identity pass-through delegation will not work when a BCS External Content type (using a SQL Server Data source) is used in a web application with claims-based authentication (Windows authentication and Kerberos) configured.

The Setup for scenario mentioned above is the one described in "Scenario 9” at

When this Scenario is Configured , following message is still the message on a list based on the external content type for any user:

"Message from External System: Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'."

The same setup works perfectly in SharePoint Server 2010 and SharePoint Server 2013 when a web application is used that has Classic Mode / Windows Authentication / Kerberos configured.

Reason for this Behavior

When we have A Web-app deployed in Claims mode on SharePoint 2010/2013, this will not work due to the Fact that BCS was never designed to leverage the Claims to Windows Token Service (C2WTS) and this is documented in the white paper.  You can find more information on Claims to Windows Token Service (C2WTS) here.

This C2WTS service is used when claims is used as authentication mode to transfer the user identity that needs pass-through from a claims identity to a windows identity.

What to Do then ?

The only true workaround in case of Claims Mode Web-app here is to use Secure Store Service (SSS) with a target application of type "Individual" that is able to pass-through the user's identity via credential mappings.

See the following articles for more information:

Plan the Secure Store Service in SharePoint Server 2013

Configure the Secure Store Service in SharePoint 2013

Please be aware of this unwanted side effect of using Secure Store Identity

In the case of user credentials change (like scheduled password changes) the user either needs to re-enter his credentials via the list view which displays the needed form or on the administrative side actions can be taken to update the credential mappings in the Secure Store Service target application used by the BCS external content type on a regular basis. 

Else a classic mode web application can be used, but by default in SharePoint Server 2013 through the UI administrators can only create claims mode web applications.

Additional Information

Plan for Kerberos authentication in SharePoint 2013

Identity delegation for Business Connectivity Services

POST BY : Praveen Hebbar [MSFT]