Browsed by
Tag: Claims Based Authentication

PowerPivot & Claims Based Authentication–Is there hope in SQL 2012?

PowerPivot & Claims Based Authentication–Is there hope in SQL 2012?

I promised an update on this in my previous article and it is time to share what I have learned.

The issue:

As many of us have painfully found, PowerPivot v1 on a Claims Based Authentication web application is not supported in SharePoint 2010.  I had a case open with Microsoft last year that had the aspirations of rectifying that situation.  We had hoped that working with the PowerPivot team (a part of the SQL Server Product team) and the SharePoint Product team that we would be able to find a way for Microsoft to change their stance and provide us a way to allow PowerPivot v1 to be supported. 

The answer for v1:

Sadly, the changes that would have to be made were too drastic for Microsoft to make in the middle of PowerPivot v1’s existing product lifecycle. 

The new and improved question:

That begs the question: Is there hope that PowerPivot v2 will be able to work on a Claims Based Authentication web application?

The caveated answer:

Keeping in mind that the product has not launched yet and things can still change (they won’t, but lets keep hoping) and that all of the SQL 2012 TechNet that are posted currently have the following statement at the top of them:

[This documentation is for preview only, and is subject to change in later releases. Blank topics are included as placeholders.]

The answer is still no.  In the TechNet article entitled “Hardware and Software Requirements (PowerPivot for SharePoint and Reporting Services in SharePoint Mode)” you will find the section under PowerPivot Sofware Requirements says in reference to SharePoint web applications:

PowerPivot for SharePoint only supports SharePoint web applications that are configured for classic-mode authentication. If you are adding PowerPivot for SharePoint to an existing farm, be sure that the web application you plan to use it with is configured for classic-mode authentication. For instructions on how to check authentication mode, see the section “Verify the Web application uses Classic mode authentication” in Deploy PowerPivot Solutions to SharePoint.“

Well damn.  Is there any hope that this is ever going to change?

Keep your chins up.  Rumor in the interwebs is that there is going to be a new version of SharePoint coming in sometime soon.  I can tell you that Microsoft has heard and continues to hear our cries out about this matter.  The more we raise this up as an issue, the more real it will be to Microsoft and the more likely they will be to invest in making the change.  If there is no perception that this is an issue, then there is no attention that will be paid and no investment dollars that will be spent.

If this is an issue for you, make sure that your Microsoft reps hear about it.  I talk about this with every Product Team member that I can get to listen to me for 5 minutes and I have never met with anything other than a warm reception and a sincere desire to know the feedback on how to make the product better.

Is this going to stop you from deploying PowerPivot v2 and Power View?

Not a snowman’s chance in the hot Jamaica sun.  I cannot wait for the final bits to drop so that I can get this amazing new product suite into the hands of every customer who wants to do BI.  The new BI story is too game changing not to get on the bus, and if I am riding it why not be driving smile

Windows with Claims User gets access denied to a site they had access to earlier in the day

Windows with Claims User gets access denied to a site they had access to earlier in the day


Small Farm 3 tiered topology using Windows with Claims implementation aggregating AD with a custom LDAP database to create the claims roles.


Users of a SharePoint 2010 site get access denied to a site they could access earlier in the day.  As the day goes on, the number of users effected increases.  Eventually only users with full control policies can access the farm.

ULS Log error:

An exception occurred in Custom Roles claim provider when calling SPClaimProvider.FillResolve(): The underlying provider failed on Open..

Root Cause:

The 10 hour default session timeout for the user’s claim has been exceeded and the database housing the Role Data is no longer accessible.   In this case it was due to an expired SQL account password. Changing the password and updating the connection string or just unchecking the password expiry flag in the SQL account will resolve the issue.

Notes from the field:

There was one easy way to prevent this type of user facing outage.  Don’t allow SQL accounts to expire.  EVER.  They are horrible to diagnose because access to the SQL Server is still operational and access using AD authentication is going to throw you off the scent because the main farm access is still available.

Read Scot Hillier’s blog on “Authorization Failures with Claims-Based Authentication in SharePoint 2010”.  Really useful stuff in there about how claims works and extending the timeouts.