"Cannot convert claims to windows token" "Could not retrieve a valid windows identity " "UPN is required when Kerberos constrained delegation is used"

For awhile now, we here at PowerPivot for SharePoint Support have seen a variety of Claims Identity/Windows Token/UPN errors.  Primarily with PowerPivot failing to refresh a workbook in the browser.

But recently, I noticed another product presenting this error.

In the ULS logs, you will see:

10/29/2013 10:11:28.57 w3wp.exe (0x1DA4) 0x33F4 SharePoint Foundation Claims Authentication bz7l Medium SPSecurityContext.WindowsIdentity: Could not retrieve a valid windows identity for NTName=’Domain\User’, UPN=’User@Domain.com’. UPN is required when Kerberos constrained delegation is used. Exception: System.ServiceModel.Security.SecurityAccessDeniedException: Access is denied.    Server stack trace:      at System.ServiceModel.Channels.ServiceChannel.ThrowIfFaultUnderstood(Message reply, MessageFault fault, String action, MessageVersion version, FaultConverter faultConverter)     at System.ServiceModel.Channels.ServiceChannel.HandleReply(ProxyOperationRuntime operation, ProxyRpc& rpc)     at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)     at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)     at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)    Exception rethrown at [0]:      at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)     at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)     at Microsoft.IdentityModel.WindowsTokenService.S4UClient.IS4UService_dup.UpnLogon(String upn, Int32 pid)     at Microsoft.IdentityModel.WindowsTokenService.S4UClient.<>c__DisplayClass1.<UpnLogon>b__0(IS4UService_dup channel)     at Microsoft.IdentityModel.WindowsTokenService.S4UClient.CallService(Func`2 contractOperation)     at Microsoft.SharePoint.SPSecurityContext.GetWindowsIdentity().

In the GUI, you will see the error “Cannot convert identity to windows token.”


Any user that is trying to refresh data, needs to have a check next to Read under Authenticated Users when looking at AD > Security (note: may need to enable Advanced Features under View tab so you can see the Security tab in AD).


Comments (3)

  1. Marcel: The resource is the Active Directory object of the user account that is refreshing the workbook. You will need to open Active Directory Users and Computers, select View > Advanced Features from the menu, then find the user account in the domain,
    and then right-click the object and select Properties to view the Security tab and add the Read permission to Authenticated Users as described above.

  2. Marcel says:

    What is the resource you are granting READ access to?

  3. JaredCEG says:

    In my case I had to grant read access for my SharePoint farm servers. My issue was due to the fact that I have selective authentication enabled for a AD trust, which removes the permissions from Authenticated Users group on all AD objects. When I added
    my SharePoint servers to a group I setup that had read access to all AD objects, it stopped throwing the claims authentication error about the UPN.

Skip to main content