Claims to Windows Token Service (c2WTS)

Applies to: SharePoint Foundation 2010

The Claims to Windows Token Service (c2WTS) is a feature of Windows Identity Foundation (WIF). The c2WTS extracts user principal name (UPN) claims from non-Windows security tokens, such as SAML and X.509 tokens, and generates impersonation-level Windows security tokens. This allows a relying party application to impersonate the user. This might be needed to access back-end resources, such as Microsoft SQL Servers, that are external to the computer running the relying party application.

The c2WTS is a Windows service that is installed as part of WIF. For security reasons, the c2WTS works only on an opt-in basis. It must be started manually and it runs as the local system account. An administrator must also manually configure the c2WTS with a list of allowed callers. By default, the list is empty. If your relying party application runs as the local system account, it does not need to use the c2WTS. However, if your relying party application runs as the network service account, or is an ASP.NET application, for example, it might need to use the c2WTS to access resources on another computer.

Suppose that you have a Web farm that consists of a server that runs an ASP.NET application, which accesses an SQL database on a back-end server. You want to make this application claims-aware. However, the application cannot access the SQL database by using the claim that it receives from a security token service (STS). Instead, it uses the c2WTS to convert the UPN claim to a Windows security token. This allows it to access the SQL database.


To allow an application to access resources on a different server, a domain administrator must configure the Microsoft Active Directory directory service to enable constrained delegation. For information about how to enable constrained delegation, see How To: Use Protocol Transition and Constrained Delegation in ASP.NET 2.0.