The last step in enabling per-user authentication is
to configure and start the Claims to Windows Token service. This is a
service included in the Microsoft Windows Identity Foundation that is
new in SharePoint 2010. The service itself converts the user identity,
which is handled inside the SharePoint farm as a Windows Claims
identity, back into an impersonation-level Windows token that can then
be presented to the data source. This needs to be performed on every
SharePoint server in the farm.
The first step is to edit the
C2WTSHost.exe.config configuration file. By default, the service is
configured to deny any account on the box from using it. You can find
this file at %ProgramFiles%\Windows Identity Foundation\v3.5, and the
following highlighted line needs to be added into it:
<?xml version="1.0"?>
<configuration>
<configSections>
<section name="windowsTokenService" type="[assembly info]"/>
</configSections>
<windowsTokenService>
<allowedCallers>
<add value="WSS_WPG" />
</allowedCallers>
</windowsTokenService>
</configuration>
After you have saved the
file, the final step is to enable and start the Claims to Windows Token
service. The service is disabled on installation of SharePoint. This can
be done through the Server Manager. Set the service to Automatic start
and then start the Claims to Windows Token service.
