Category Archives: C2WTS

mclipsh 3:21 am on September 19, 2012
Tags: , , performancepoint,   

PerformancePoint, Kerberos, Claims To Windows Token Service, and unhelpful error messages

A user complained that PerformancePoint was not configured correctly.

“See? SharePoint told me so!”

You check the logs and find this on the application server running the PerformancePoint service.

Microsoft.PerformancePoint.Scorecards.BpmException: The item is not a valid PerformancePoint Data Source. Check to make sure the content type of this item is correct.

And corresponding in the SharePoint ULS log on the same server.

The user "DOMAIN\User" attempted to access an item in the following location: http: //SharePointServer/Data Connections for PerformancePoint/1_.000

Verify that the location exists and that the user has the "Read Items" permission.

Exception details: Microsoft.PerformancePoint.Scorecards.BpmException: The item 'http://SharePointServer/Data Connections for PerformancePoint/DataSource.rsds' is not a valid PerformancePoint Data Source. Check to make sure the content type of this item is correct.

However you can also find things related to Claims to Windows Token Service in ULS log.

SPSecurityContext.WindowsIdentity: Could not retrieve a valid windows identity for NTName='DOMAIN\User', UPN='User@DOMAIN'. UPN is required when Kerberos constrained delegation is used. Exception: System.ArgumentException: Token cannot be zero.

The following data source cannot be used because PerformancePoint Services is not configured correctly.

Data source location: http: //SharePointServer/Data Connections for PerformancePoint/5_.000 Data source name: New Data Source

Monitoring Service was unable to retrieve a Windows identity for "DOMAIN\User".

Verify that the web application authentication provider in SharePoint Central Administration is the default windows Negotiate or Kerberos provider.

If the user does not have a valid active directory account the data source will need to be configured to use the unattended service account for the user to access this data.

The best hint at the gremlin in the system is the error “Token cannot be zero” from the Claims to Windows Token service. The SharePoint system attempts to change the claims token to a windows token, but the service is just returning null. Basically this is a permissions error for the Claims to Windows Token Service identity.

If you read the SharePoint 2010 Kerberos Guide, particularly the chapter on configuring PerformancePoint, you would understand that there is a relationship between PerformancePoint and Claims to Windows Token Service. Too bad it doesn’t tell you how to fight system gremlins, but not to worry… that’s why I’m here.

The domain account you are using needs a few things to be able to successfully run the Claims to Windows Token service.

  • Local administrator on the application server running PerformancePoint

And in Local Security Policy (secpol.msc)

  • Act as part of the operating system
  • Impersonate a client after authentication
  • Log on as a service (the service account will probably already be here if it is running a service)

I found two gotchas in this particular environment.

  • Windows group policy removed the Claims to Windows Token service account from local administrator. Contact your friendly Windows/Active Directory administrator for assistance on this.
  • After the permissions are applied the Claims to Windows Token service account needs to be restarted in order to apply the permissions. If you do not restart the service, your user will still be getting the error message!
mclipsh 7:35 am on August 15, 2012
Tags: BDC, , duet,   

SharePoint Duet Enterprise – Importing the BDC Models

I have been following the Microsoft TechNet article instructions to install BDC Models to SharePoint, I executed the command line
C:\Program Files\Duet Enterprise\1.0> DuetConfig.exe /importBDC "DRIVE:\PATH\models.xml" /Addusers "END_USERS" /Username "USERNAME" /Password "PASSWORD" /Email "EMAIL_ADDRESS" /BDCServiceApplication "BDC_SERVICE_APP_NAME"

The command line responded with the error message

Starting import of models from DRIVE:\PATH ...

Attempting to import model: ENTITY
Creating Secure Store application WSDL to store credentials, required to fetch WSDL from SAP Backend for importing the BDC models.
[ERROR] Failed to create target application in Secure Store. Error Message: Failed to create Secure Store Application WSDL. Error: Unable to obtain master key..
Fix the previous error and retry.
Failed to import model: ENTITY

The SharePoint ULS logs recorded an error message in the Claims Authentication category.

SPSecurityContext.WindowsIdentity: Could not retrieve a valid windows identity for NTName='DOMAIN\account', UPN='account@DOMAIN'. UPN is required when Kerberos constrained delegation is used.
No windows identity for DOMAIN\account.

I’ll put the full stack trace at the end of the post.

The SharePoint farm is made up of two web front end servers and two application servers. The Business Data Connectivity service instances and Secure Store service instances were running on the two application servers only. I executed the command on one of the application servers.

The Claims to Windows Token Service was not started on any of the servers. Why should it be? There isn’t any mention of this service in any of the deployment steps via TechNet.

RESOLUTION: I started the service through SharePoint Central Administration on both of the application servers and re-ran the command to import BDC Models. In this scenario, the service identity is “Local Service” and not a domain account. And they all lived happily ever after.

DATE TIME w3wp.exe (0x1278) 0x1DF4 SharePoint Foundation Claims Authentication bz7l Medium SPSecurityContext.WindowsIdentity: Could not retrieve a valid windows identity for NTName='DOMAIN\user', UPN='account@DOMAIN'. UPN is required when Kerberos constrained delegation is used. Exception: System.ServiceModel.EndpointNotFoundException: There was no endpoint listening at net.pipe://localhost/s4u/022694f3-9fbd-422b-b4b2-312e25dae2a2 that could accept the message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details. ---> System.IO.PipeException: The pipe endpoint 'net.pipe://localhost/s4u/022694f3-9fbd-422b-b4b2-312e25dae2a2' could not be found on your local machine.      --- End of inner exception stack trace ---    Server stack trace:      at System.ServiceModel.Channels.PipeConnectionInitiator.GetPipeName(Uri uri)     at System.ServiceModel.Channels.NamedPipeConnectionPoolRegistry.NamedPipeConnectionPool.GetPoolKey(EndpointAddress address, Uri via)     at System.ServiceModel.Channels.CommunicationPool`2.TakeConnection(EndpointAddress address, Uri via, TimeSpan timeout, TKey& key)     at System.ServiceModel.Channels.ConnectionPoolHelper.EstablishConnection(TimeSpan timeout)     at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.OnOpen(TimeSpan timeout)     at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)     at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)     at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)     at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade)     at System.ServiceModel.Channels.ServiceChannel.EnsureOpened(TimeSpan timeout)     at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)     at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)     at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)    Exception rethrown at [0]:      at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)     at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)     at Microsoft.IdentityModel.WindowsTokenService.S4UClient.IS4UService_dupUpnLogon(String upn, Int32 pid)     at Microsoft.IdentityModel.WindowsTokenService.S4UClient.c__DisplayClass1.b__0(IS4UService_dup channel)     at Microsoft.IdentityModel.WindowsTokenService.S4UClient.CallService(Func`2 contractOperation)     at Microsoft.SharePoint.SPSecurityContext.GetWindowsIdentity().

DATE TIME w3wp.exe (0x1278) 0x1DF4 SharePoint Foundation Claims Authentication g220 Unexpected No windows identity for DOMAIN\account.