I know a large number of people who believe that Claims to Windows Token Service is a SharePoint feature. They are mistaken, c2WTS is part of Windows Identity Foundation (WIF) which is one of the pre-requisites for SharePoint.

SharePoint indeed relies on c2WTS for delegation. It works this way: c2WTS extracts UPN claims from non-Windows security token (like SAML and X.509) and generates a valid Windows security token to be used for impersonation. You will only need to have this service running in SharePoint if you need services that requires impersonation (in a way it is a replacement for SSO) such as Excel Calculation Services (ECS) and PerformancePoint Services.

It happens though that besides configuring ECS being alone a complex task you may face an intermittent problem: c2WTS may not start automatically when you reboot your server. You will of course blame SharePoint for not starting the service as appropriate and this is the misleading part. Even though you set the SharePoint service Claims to Windows Token in Central Administration you are only setting up the tip of the iceberg that is managed by SharePoint. This setting will let SharePoint knows where the actual c2WTS (which is a Windows Service) is installed (you can choose more than one server). It also configures the service and add the appropriate security group (WSS_WPG) to the service config  (c:\Program Files\Windows Identity Foundation\v3.5\c2wtshost.exe.config) and that’s it. All the hard work is done by the WIF service from this point on.

 

After having installed the service appropriately you may see it fails to start automatically and your ECS will break. Starting manually will have things back to normal, but this is not a desirable workaround. The problem with starting automatically is that c2WTS has a dependency on another windows service: Cryptographic Services. If Cryptographic Services take too long to start, c2WTS will timeout. This is a known issue with WIF that is not so well documented. To resolve this issue, you will have to add the dependency yourself. The good news is that you only have to do it once for each server running the service.

Fixing the problem:

a) Open the command-prompt window as Administrator.

b) Type: sc config c2wts depend= CryptSvc

c) Find the Claims to Windows Token Service in the services console (run: services.msc)

d) Open the properties for the service.

e) Check the Dependencies tab. Make sure Cryptographic Services is listed.

f) Click OK.

 

**** UPDATE: I have created a KB article on the subject. It can be found here: http://support.microsoft.com/kb/2512597