Alexander Anikin's blog

My personal blog

Excel Services – File Access Method: Impersonation

with 2 comments

When attempting to open an Excel Workbook stored on a file server (not joined to farm) and render this file in Excel File in Excel Services (with file access method set to Impersonation), the below message is thrown because user credentials are not being passed to the file server.

“Excel You do not have permissions to open this file in the browser”
 
Cause:
Kerberos was not properly setup to pass credentials from the Farm to the File Server.
 

Resolution:

If you want to use impersonation (via:) Central Administration > Manage Service Applications > Excel Services Application > Global Settings > Security: File Access Method > Impersonation (instead of Process Account) and have the ability to open Excel Files in Excel Services that are stored on a file server you must.

Make sure the Claims to Token Windows Service is running on any Server running Excel Calculation Services.  In this example it is only running on one server (Server001).
Locate the service account running the Excel Services Application > Central Administration > Security > Configure Service Accounts > Credential Management (Example of account running the Excel Services Application: Microsoft\ExcelSvcAccnt).
Set a dummy SPN for this service account via ADSIEdit.msc > ExcelSvcAccnt (example) > Properties > Service Principal Name > HTTP/C2WTS > Add > Ok

Trust the File Server (Server where files are stored; Example “Server002”) for Kerberos via:
Active Directory > Computers > Server002 (example) > Properties > Delegation > Trust this Computer for delegation to any service (Kerberos only).

Constrain the service account running the Excel Services Application to the file server (Server002) via:
Active Directory > Users > Microsoft\ExcelSvcAccnt  (example) > Properties > Delegation > Trust this user for delegation to specified services only > Use any authentication protocol > Add > SP002 (File Server) > Select All > OK

Constrain the machine running “Claims to Windows Token Service” and  “Excel Services Application” (Server001) to the file server (Server002) via:
Active Directory > Computers > SP001 (example) > Properties > Delegation > Trust this computer for delegation to specified services only > Use any authentication protocol > Add > SP002 (File Server) > Select All > OK

Authentication should now be properly set up.
Authorization to the File server must be properly given via NTFS Permissions.

Update:

What we need to do in AD:
1. Trust file Servers (ex tx2fs008)- Trust delegation for all services (Kerberos only)
For all file servers set AD attribute userAccountControl (need to add | TRUSTED_FOR_DELEGATION flag).  
2.  Constrain Excel Services account (ex. svc_ow_services)
Attribute msDS-AllowedToDelegateTo – add services of file-system server
 
3.  Constrain OW server account account (ex. tx2ow002$)
Attribute msDS-AllowedToDelegateTo – add services of file-system server
 
ps: i’m not sure but we can make Trust delegation for all services (Kerberos only) for 2 and 3 and not constrain it for file-servers only. It’s much simlper.

Written by Alex Anikin

November 13, 2010 at 10:33 am

Posted in Active Directory, Security, Sharepoint

«
»

2 Responses

Subscribe to comments with RSS.

  1. […] 1. Excel Services account should be in local Administrators when it’s working in File Access Method – Impersonation. (more info https://aanikin.wordpress.com/2010/11/13/excel-services-file-access-method-impersonation/) […]

    Sharepoint Service Account’s Permisions for Office Web Apps « Alexander Anikin's blog

    December 21, 2010 at 1:41 pm

    Reply

  2. Very helpful. help me resolve the issue can not open excel file in browser. many thanks.

    Martin

    February 24, 2011 at 9:04 am

    Reply

Leave a comment