The SharePoint Claims to Windows Token Service (c2WTS) is required with Reporting Services SharePoint mode if you want to use Windows Authentication for data sources that are outside the SharePoint farm. This is true even if the user accesses the data sources with Windows Authentication because the communication between the web front-end (WFE) and the Reporting Services shared service will always be Claims Authentication.
c2WTS is needed even if your data source(s) are on the same computer as the shared service. However in this scenario, constrained delegation is not needed.
The tokens created by c2WTS will only work with constrained delegation (constrains to specific services) and the configuration option "using any authentication protocol". As noted earlier, if your data sources are on the same computer as the shared service, then constrained delegation is not needed.
If your environment will use Kerberos constrained delegation, then the SharePoint Server service and external data sources need to reside in the same Windows domain. Any service that relies on the Claims to Windows token service (c2WTS) must use Kerberos constrained delegation to allow c2WTS to use Kerberos protocol transition to translate claims into Windows credentials. These requirements are true for all SharePoint Shared Services. For more information, see Plan for Kerberos authentication in SharePoint 2013.
The procedure is summarized in this topic.
| Applies to: SharePoint 2016 | SharePoint 2013|
Note: Some of the configuration steps may change, or may not work in certain farm topologies. For instance, a single server install does not support the Windows Identity Foundation c2WTS services so claims to windows token delegation scenarios are not possible with this farm configuration.
If you are using Power View to work against Power Pivot workbooks, you will need to do additional configuration for Office Online Server overview. For more information, see the following white papers.
Basic steps needed to configure c2WTS
Configure the c2WTS service account. Add the service account to the local Administrators group on each application server running c2WTS. In addition, verify that the account has the following local security policy rights:
Act as part of the operating system
Impersonate a client after authentication
Log on as a service
Configure delegation for the c2WTS service account. The account needs Constrained Delegation with Protocol Transitioning and permissions to delegate to the services it is required to communicate with (i.e. SQL Server Engine, SQL Server Analysis Services). To configure delegation you can use the Active Directory Users and Computer snap-in.
Whatever settings you configure for the C2WTS service account, on the delegation tab, needs to match the Reporting Services Service account. For example, if you allow the C2WTS service account to delegate to a SQL Service, you need to do the same on the Reporting Services service account.
Right-click each service account and open the properties dialog. In the dialog click the Delegation tab.
Note: the delegation tab is only visible if the object has a Service Prinicpal Name (SPN) assigned to it. c2WTS does not require an SPN on the c2WTS Account, however, without an SPN, the Delegation tab will not be visible. An alternative way to configure constrained delegation is to use a utility such as ADSIEdit.
Key configuration options on the delegation tab are the following:
Select “Trust this user for delegation to specified services only”
Select “Use any authentication protocol”
Select Add to add a service to delegate to.
Select Users or Computers...* and enter the account that hosts the service. For example, if a SQL Server is running under an account named sqlservice, enter
Select the service listing. This will show the SPNs that are available on that account. If you don't see the service listed on that account, it may be missing or placed on a different account. you can use the SetSPN utility to adjust SPNs.
Select OK to get out of the dialogs.
Configure c2WTS ‘AllowedCallers’
c2WTS requires the ‘callers’ identities explicitly listed in the configuration file, c2WTShost.exe.config. c2WTS does not accept requests from all authenticated users in the system unless it is configured to do so. In this case the ‘caller’ is the WSS_WPG Windows group. The c2WTShost.exe.confi file is saved in the following location:
Changing the service account within SharePoint Central Admin, for the C2WTS service, will add that account to the WSS_WPG group.
\Program Files\Windows Identity Foundation\v3.5\c2WTShost.exe.config
The following is an example of the configuration file:
<configuration> <windowsTokenService> \<!-- By default no callers are allowed to use the Windows Identity Foundation Claims To NT Token Service. Add the identities you wish to allow below. --> <allowedCallers> <clear/> <add value="WSS_WPG" /> </allowedCallers> </windowsTokenService> </configuration>
- Start the SharePoint ‘Claims to Windows Token Service’: Start the Claims to Windows Token Service through SharePoint Central Administration on the Manage Services on Server page. The service should be started on the server that will be performing the action. For example if you have a server that is a WFE and another server that is an Application Server that has the Reporting Services shared service running, you only need to start c2WTS on the Application Server. c2WTS is not needed on the WFE.