Excel Services – File Access Method: Impersonation
When attempting to open an Excel Workbook stored on a file server (not joined to farm) and render this file in Excel File in Excel Services (with file access method set to Impersonation), the below message is thrown because user credentials are not being passed to the file server.
“Excel You do not have permissions to open this file in the browser”
Cause:
Kerberos was not properly setup to pass credentials from the Farm to the File Server.
Resolution:
If you want to use impersonation (via:) Central Administration > Manage Service Applications > Excel Services Application > Global Settings > Security: File Access Method > Impersonation (instead of Process Account) and have the ability to open Excel Files in Excel Services that are stored on a file server you must.
Make sure the Claims to Token Windows Service is running on any Server running Excel Calculation Services. In this example it is only running on one server (Server001).
Locate the service account running the Excel Services Application > Central Administration > Security > Configure Service Accounts > Credential Management (Example of account running the Excel Services Application: Microsoft\ExcelSvcAccnt).
Set a dummy SPN for this service account via ADSIEdit.msc > ExcelSvcAccnt (example) > Properties > Service Principal Name > HTTP/C2WTS > Add > Ok
Trust the File Server (Server where files are stored; Example “Server002”) for Kerberos via:
Active Directory > Computers > Server002 (example) > Properties > Delegation > Trust this Computer for delegation to any service (Kerberos only).
Constrain the service account running the Excel Services Application to the file server (Server002) via:
Active Directory > Users > Microsoft\ExcelSvcAccnt (example) > Properties > Delegation > Trust this user for delegation to specified services only > Use any authentication protocol > Add > SP002 (File Server) > Select All > OK
Constrain the machine running “Claims to Windows Token Service” and “Excel Services Application” (Server001) to the file server (Server002) via:
Active Directory > Computers > SP001 (example) > Properties > Delegation > Trust this computer for delegation to specified services only > Use any authentication protocol > Add > SP002 (File Server) > Select All > OK
Authentication should now be properly set up.
Authorization to the File server must be properly given via NTFS Permissions.
Update:
[…] 1. Excel Services account should be in local Administrators when it’s working in File Access Method – Impersonation. (more info https://aanikin.wordpress.com/2010/11/13/excel-services-file-access-method-impersonation/) […]
Sharepoint Service Account’s Permisions for Office Web Apps « Alexander Anikin's blog
December 21, 2010 at 1:41 pm
Very helpful. help me resolve the issue can not open excel file in browser. many thanks.
Martin
February 24, 2011 at 9:04 am