Considering the following scenario with two Active Directory forests:

• Internal forest where the SharePoint Farm rely on ( -configured with selective authentication
• External forest where external users are referenced ( - configured with forest wide authentication

Between the two forests we have two way trust.

When we are accessing the reports (Reporting services reports) from the external domain and AD selective authentication method is in place we receive the following error message:

"Cannot convert claims to windows token."

The issue is not present if we have configured Ad Forest-wide authentication for the internal forest (

Allowed to Authenticate permission for external users to SharePoint service accounts

Grant Allowed to Authenticate permission for external users to C2WTS service account and Reporting service account

dsacls "cn=svc2wts,dc=contoso,dc=com" /G "fabrikam\user1:CA;Allowed to Authenticate"
dsacls "cn=svc_repoting,dc=contoso,dc=com" /G "fabrikam\user1:CA;Allowed to Authenticate"

Additional information: Grant the Allowed to Authenticate permission on computers in the trusting domain or forest How Domain and Forest Trusts Work