Considering the following scenario with two Active Directory forests:
• Internal forest where the SharePoint Farm rely on (contoso.com) -configured with selective authentication • External forest where external users are referenced (fabrikam.com) - configured with forest wide authentication
Between the two forests we have two way trust.
When we are accessing the reports (Reporting services reports) from the external domain fabrikam.com and AD selective authentication method is in place we receive the following error message:
"Cannot convert claims to windows token."
The issue is not present if we have configured Ad Forest-wide authentication for the internal forest (contoso.com)
Cause:Allowed to Authenticate permission for external users to SharePoint service accounts
Resolution:Grant Allowed to Authenticate permission for external users to C2WTS service account and Reporting service account
dsacls "cn=svc2wts,dc=contoso,dc=com" /G "fabrikam\user1:CA;Allowed to Authenticate" dsacls "cn=svc_repoting,dc=contoso,dc=com" /G "fabrikam\user1:CA;Allowed to Authenticate"
http://technet.microsoft.com/en-us/library/cc738653(v=ws.10).aspx Grant the Allowed to Authenticate permission on computers in the trusting domain or foresthttp://technet.microsoft.com/en-us/library/cc773178(v=ws.10).aspx How Domain and Forest Trusts Work