Sunday, January 27, 2019

Resolving “Could not retrieve a valid windows identity for username with UPN.” error for a user from external domain

In one of my SharePoint/BI farms I got following error when opening a PowerPivot report with data refresh.

In this scenario I had another domain with Forest trust and I faced the error when logging in to SharePoint site with a user account from that domain.
Following is the error message I got from ULS
SPSecurityContext: Could not retrieve a valid windows identity for username '' with UPN ''. UPN is required when Kerberos constrained delegation is used. Exception: System.ServiceModel.Security.SecurityAccessDeniedException: Access is denied
Following are the checkpoints
  • Relevant SPN entries are in place : Done
  • Service account is enabled for delegation : Done
  • Name suffix is enabled for routing : Gotcha!!
In my scenario relevant name suffix was disabled. Following is the way to enable it
  • Log in to Domain Controller
  • Navigate to Active Directory Domains and Trusts. Go to Properties & Trusts tab

  • Select the relevant domain name & click on Properties.Then navigate to Name Suffix Routing Tab

  • Enable it

It resolved the error for me!