Sharepoint Claims/c2wts issues with Performance Point/Excel Services

Question

I have created a custom claims provider to allow users to sign into SharePoint from an existing website. This issues claims including a claim of UPN in the format username@domain. The user can log in fine until I enable mapToWindows and useWindowsTokenService under samlSecurityTokenRequirement in the SharePoint web application web.config. At this point I get a standard SharePoint error message, and the following exception is visible in the trace.

Exception fetching current thread user in SPUtility.CacheClaimsIdentity: Exception of type 'System.ArgumentException' was thrown.
Parameter name: identity    0.00143314303912927 0.001357
Runtime Tag(tkau) System.ArgumentException: Exception of type 'System.ArgumentException' was thrown.
Parameter name: encodedValue
  at Microsoft.SharePoint.Administration.Claims.SPClaimEncodingManager.DecodeClaimFromFormsSuffix(String encodedValue)
  at Microsoft.SharePoint.Administration.Claims.SPClaimProviderManager.GetProviderUserKey(String encodedSuffix)
  at Microsoft.SharePoint.ApplicationRuntime.SPHeaderManager.AddIsapiHeaders(HttpContext context, String encodedUrl, NameValueCollection headers)
  at Microsoft.SharePoint.ApplicationRuntime.SPRequestModule.PreRequestExecuteAppHandler(Object oSender, EventArgs ea)
  at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
  at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

I think that the c2wts impersonation part is working correctly because if I disable the AD account represented by the passed UPN claim then I get a different "access is denied" error shown in SharePoint when trying to log in as that user.

Also in the SharePoint log it does appear that the UPN has been converted to a Windows AD account because I get the following in the log:

Verbose  ____Current User=i:DOMAINNAME\SSO_administrator    7b4eac31-d017-429c-87f2-a3100ece6797

Update

It looks like maybe this isn't a supported setting to use within SharePoint. However if I leave the setting off, it seems that Performance Point and Excel Services reports embedded in the SharePoint site do not work properly. I get errors like:

• The data connection uses Windows Authentication and user credentials could not be delegated. (Excel)
• $Resources:ppsma.ServerCommon, ErrorCode_DataSourceCannotGetWindowsIdentityForNonWindowsClaim; (Performance Point SSRS report)

Is there a way around this? I need the user's UPN to be the account used to query the SSAS data behind these, so it is not feasible to use fixed connection strings.

Answer 1

It turns out that the mapToWindows config value is not supported within SharePoint. You have to rely on each part of SharePoint being claims aware and converting the token themselves. This is a bit of pain because PerformancePoint and Excel Services are not claims aware, so you end up being stuck using Windows auth if your SSAS cube requires AD security.

Answer 2

I think there are a lot of information on a SharePoint forum about Claims-based access platform (Geneva) forums

This is some of the searches which hopefully will helps you to manage the issue:

• Claims Login Web Part for SharePoint Server 2010
• SP2010 Custom Role Provider - Roles.GetRolesForUser(userName) raises exception
• How do i redirect the user from Active Directory or Sqlmembership provider to sharepoint default.aspx page or home page after logged in using custom log in page.
• Vittorio Bertocci's Blog
• SAML 2.0 Protocol Blog
• SAML 2.0 Windows Identity Foundation Extension