Ondrej Sevecek's Blog

# Kerberos S4U login with UPN only
# Common problems - the caller must be member of "Windows Authorization Access Group"
# or at least have Read permission to tokenGroupsGlobalAndUniversal AD LDAP attribute of the subject account
# If the caller is not member of local Administrators or does not have SeTcbPrivilege, the resulting access token will only be at the Identification level
$s4u = New-Object System.Security.Principal.WindowsIdentity 'sp-admin@gopas.virtual'

# Using identity foundation and the c2wts service
# Common problems - the caller must be listed among the allowedCallers in the c2wtshost.exe.config file or you get the "wts0003: the caller is not authorized to use the service" error.
# Later permission issues manifest themselves with "Token cannot be zero" exception
[System.Reflection.Assembly]::LoadWithPartialName('Microsoft.IdentityModel')
[System.Security.Principal.WindowsIdentity] $winId = [Microsoft.IdentityModel.WindowsTokenService.S4UClient]::UpnLogon("sp-admin@gopas.virtual")

# Get the c2wts named pipe and the net.pipe URL
# The pipe name will be a random {guidguid-guid-guid-guid-guidguidguid}
# it seams like it is always with 8 instances. But the simplest way
# to determine which one it is, is to get the list before and after the c2wts
# service is running and compare
[System.IO.Directory]::GetFiles('\\.\pipe')
pipelist | ? { $_ -like '*-*-*-*-*' }

$pipeName = (t:\sysinternals\handle.exe 'net.pipe:' | ? { $_ -like 'c2wtshost.exe*' } | % { $_.Split('\') } | select -l 1 | % { $_.Split(':') } 

| select -l 1).SubString(1)
$bytes = [convert]::FromBase64String($pipeName)

# The result was
# net.pipe://+/S4U/022694F3-9FBD-422B-B4B2-312E25DAE2A2/
# which is a normalized version of the following: net.pipe://localhost/S4U/022694F3-9FBD-422B-B4B2-312E25DAE2A2/
[System.Text.ASCIIEncoding]::ASCII.GetString($bytes)


# The SharePoint Secure Store error when trying generate key through the central admin
# solution was to make the Secure Store service account be member of local Administrators
# but this is not what would satisfy me :-)
Exception calling "UpnLogon" with "1" argument(s): "Token cannot be zero."
SPSecurityContext Could not retrieve valid windows identity username Token cannot be zero
.Exception.HResult = -2146233087 = COR_E_SYSTEM
.Exception.InnerException.HResult = -2147024809 = COR_E_ARGUMENT