SharePoint 2010 migrated to claims - strange error

Hi

We have successfully migrated our portal web application and users to claims based authentication.

We notice not however that site owners (sharepoint group) can no longer create sub sites from our to main site collection.

If they are made Site administratos however, they can create the sub site.

The error we get is as follows:

Successfully applied template "STS#0" to web
at URL "http://portale.com/teamroom/Testprosjekt".    83e9f6d3-fadb-4844-8eca-3068a992621e
Leaving Monitored Scope (Applying Named Web Template: STS#0). Execution Time=6733,01550895435            83e9f6d3-fadb-4844-8eca-3068a992621e
Deleting the web
at http://portale.com/teamroom/Testprosjekt .                83e9f6d3-fadb-4844-8eca-3068a992621e
SPSecurityContext.WindowsIdentity: Could not retrieve a valid windows identity for NTName='domain\user', UPN='user@domain.com'.
UPN is required when Kerberos constrained delegation is used. Exception: System.ServiceModel.FaultException`1[System.ServiceModel.ExceptionDetail]:
WTS0003: The caller is not authorized to access the service. (Fault Detail is equal to An ExceptionDetail,
likely created by IncludeExceptionDetailInFaults=true, whose value is: System.UnauthorizedAccessException:
WTS0003: The caller is not authorized to access the service.
at Microsoft.IdentityModel.WindowsTokenService.CallerSecurity.CheckCaller(WindowsIdentity callerIdentity)
at Microsoft.IdentityModel.WindowsTokenService.S4UServiceContract.PerformLogon(Func`1 logonOperation, Int32 pid)
at SyncInvokeUpnLogon(Obje...             83e9f6d3-fadb-4844-8eca-3068a992621e
...ct , Object[] , Object[] )
at System.ServiceModel.Dispatcher.SyncMethodInvoker.Invoke(Object instance, Object[] inputs, Object[]& outputs)
at System.ServiceModel.Dispatcher.DispatchOperationRuntime.InvokeBegin(MessageRpc& rpc)
at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage5(MessageRpc& rpc)
at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage31(MessageRpc& rpc)
at System.ServiceModel.Dispatcher.MessageRpc.Process(Boolean isOperationContextSet))..               83e9f6d3-fadb-4844-8eca-3068a992621e
No windows identity for domain\user.        83e9f6d3-fadb-4844-8eca-3068a992621e

We get no error if the same user have been set as site administrator when trying to create the subsite.

We do not use kerberos on our web application. I read somewhere that enabling claims to windows token service could help. Have tried this.

Googling has somewhat pointed towards setting up claims to windows token service properly with a domain account, but i just cant see why we would need to use this service..

Another error:

SPSecurityContext.WindowsIdentity: Could not retrieve a valid windows identity for NTName='domain\cabro', UPN='CABRO@domain.com'. UPN is required when Kerberos constrained delegation is used. Exception: System.ServiceModel.FaultException`1[System.ServiceModel.ExceptionDetail]: WTS0003: The caller is not authorized to access the service. (Fault Detail is equal to An ExceptionDetail, likely created by IncludeExceptionDetailInFaults=true, whose value is: System.UnauthorizedAccessException: WTS0003: The caller is not authorized to access the service.    at Microsoft.IdentityModel.WindowsTokenService.CallerSecurity.CheckCaller(WindowsIdentity callerIdentity)     at Microsoft.IdentityModel.WindowsTokenService.S4UServiceContract.PerformLogon(Func`1 logonOperation, Int32 pid)     at SyncInvokeUpnLogon(Obje...	e1e481b5-a265-412b-bac1-3af0f28bc062
10/24/2014 10:10:11.88*	w3wp.exe (0x1608)                       	0x2388	SharePoint Foundation         	Claims Authentication         	bz7l	Medium  	...ct , Object[] , Object[] )     at System.ServiceModel.Dispatcher.SyncMethodInvoker.Invoke(Object instance, Object[] inputs, Object[]& outputs)     at System.ServiceModel.Dispatcher.DispatchOperationRuntime.InvokeBegin(MessageRpc& rpc)     at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage5(MessageRpc& rpc)     at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage31(MessageRpc& rpc)     at System.ServiceModel.Dispatcher.MessageRpc.Process(Boolean isOperationContextSet))..	e1e481b5-a265-412b-bac1-3af0f28bc062
10/24/2014 10:10:11.88 	w3wp.exe (0x1608)                       	0x2388	SharePoint Foundation         	Claims Authentication         	g220	Unexpected	No windows identity for domain\cabro.	e1e481b5-a265-412b-bac1-3af0f28bc062
10/24/2014 10:10:11.88 	w3wp.exe (0x1608)                       	0x2388	SharePoint Foundation         	Claims Authentication         	bz7l	Medium  	SPSecurityContext.WindowsIdentity: Could not retrieve a valid windows identity for NTName='domain\cabro', UPN='CABRO@domainc.com'. UPN is required when Kerberos constrained delegation is used. Exception: System.ServiceModel.FaultException`1[System.ServiceModel.ExceptionDetail]: WTS0003: The caller is not authorized to access the service. (Fault Detail is equal to An ExceptionDetail, likely created by IncludeExceptionDetailInFaults=true, whose value is: System.UnauthorizedAccessException: WTS0003: The caller is not authorized to access the service.    at Microsoft.IdentityModel.WindowsTokenService.CallerSecurity.CheckCaller(WindowsIdentity callerIdentity)     at Microsoft.IdentityModel.WindowsTokenService.S4UServiceContract.PerformLogon(Func`1 logonOperation, Int32 pid)     at SyncInvokeUpnLogon(Obje...	e1e481b5-a265-412b-bac1-3af0f28bc062
10/24/2014 10:10:11.88*	w3wp.exe (0x1608)                       	0x2388	SharePoint Foundation         	Claims Authentication         	bz7l	Medium  	...ct , Object[] , Object[] )     at System.ServiceModel.Dispatcher.SyncMethodInvoker.Invoke(Object instance, Object[] inputs, Object[]& outputs)     at System.ServiceModel.Dispatcher.DispatchOperationRuntime.InvokeBegin(MessageRpc& rpc)     at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage5(MessageRpc& rpc)     at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage31(MessageRpc& rpc)     at System.ServiceModel.Dispatcher.MessageRpc.Process(Boolean isOperationContextSet))..	e1e481b5-a265-412b-bac1-3af0f28bc062
10/24/2014 10:10:11.88 	w3wp.exe (0x1608)                       	0x2388	SharePoint Foundation         	Claims Authentication         	g220	Unexpected	No windows identity for domain\cabro.

anyone have any tips? :-)

best regards

Bjorn