Think you have added all the SPN's and configured constrained delegation in your AD so that you can leverage Excel Services via SharePoint 2010 AND still get the dreaded User Credentials cannot be delegated error??
Well a quick glance at the SharePoint logs (C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\LOGS) shows the error as:
MossHost.TryGetWindowsIdentity: Failed to get WindowsIdentity from IClaimsIdentity. SPSecurityContext.GetWindowsIdentity() threw exception: System.InvalidOperationException: Could not retrieve a valid Windows identity.
Ah Ha! This is because the service account you have for the C2WTS (Claims To Windows Token Service) may have delegation setup BUT it must ALSO be part of the Local Administrators group on the application server on which it is running!
Add it to the Local Administrators group, reboot the server and voila!!
-Aashish
No comments:
Post a Comment