How to make Excel Services work with custom Identity Provider in Sharepoint

Hi All, 

Our Sharepoint site has been configured claims authentication with Custom Identity Provider and we want to delegate the authentication to excel services data source.  Kerberos constrained delegation is configured. But the excel services is reporting the following error, 

"The data connection uses Windows Authentication and user credentials could not be delegated. The following connections failed to refresh: "

Any help?

May 19th, 2015 2:55pm

Claims to Windows Token Service can only convert Windows claims to Windows Auth. You would need to use some other form of authorization/authentication for your ECS sheet, e.g. Secure Store Service.
Free Windows Admin Tool Kit Click here and download it now
May 19th, 2015 3:00pm

Hi Trevor, 

Yes. But the same issue came up with SSRS in Sharepoint and we augmented claims that are needed in Windows claims and it worked perfectly. But Excel Services does not work with that trick.  

Thanks.

May 19th, 2015 3:08pm

SSRS does not use C2WTS for identity delegation.
Free Windows Admin Tool Kit Click here and download it now
May 19th, 2015 3:08pm

It does use  C2WTS according to this https://msdn.microsoft.com/en-us/library/hh231678.aspx?f=255&MSPPError=-2147217396

May 19th, 2015 3:14pm

Yep, you're right, sorry about that.

What kind of data source is ECS leveraging in this particular case?

Free Windows Admin Tool Kit Click here and download it now
May 19th, 2015 4:58pm

Np.  SSAS Data source. 
May 19th, 2015 5:14pm

In that case, have you looked at leveraging EffectiveUserName?
Free Windows Admin Tool Kit Click here and download it now
May 19th, 2015 5:15pm

I looked at EffectiveUserName. It is cool. But what should be present in the claim for this to work? is it the UPN claim? 

Thanks

May 19th, 2015 5:52pm

It leverages the Windows identity of the user. Likely you would need to pass on either UPN or sAMAccountName.
Free Windows Admin Tool Kit Click here and download it now
May 19th, 2015 6:48pm

UPN claim is there but the problem is we are using Trusted Identity Provider. Not the classic or windows claims-mode authentication. Will it still work? is there any workaround?
May 19th, 2015 8:10pm

Anyone has the answer for this?

Thanks

Free Windows Admin Tool Kit Click here and download it now
June 26th, 2015 1:06pm

Hiya.

First off, it should work. C2WT takes string input, so as long as your claim contains a valid domain UPN, it should be able to create a Kerberos ticket for that user.

So you have configured:

Delegation for C2WT account -> SSAS

Delegation for Excel services account -> SSAS

SPN's for SSAS.

What do you see when you run SQL profiler on analysis services instance, while trying to connect with Excel services?

June 29th, 2015 9:32am

Hey, 

It didn't work for me. Tried every other configuration. Alternative solution is to use Web Application Proxy for authentication. 

Thanks. 

Free Windows Admin Tool Kit Click here and download it now
July 31st, 2015 10:20am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics