The user does not exist or is not unique - Claims and Kerberos authenticated site
-
Monday, May 14, 2012 8:19 PM
Hi everyone,
When using Claims/ Kerberos authentication with SharePoint 2010 (SP 1) - unable to permission a user
from a trusted domain (2 way). Get "The user does not exist or is not unique" error.I can permission these domain users on a network share (on the SharePoint server) fine. And also from the
same SharePoint server we can add these people to a Classic/Kerberos site or
Claims/ ntlm site.Tried disabling policy "Domain member: Digitally encrypt or sign secure channel data (always)" - as per this blog with no luck.
We've peoplepicker-searchadforests pointed to the forest and have GC port 3268 open.
Any suggestions would be greatly appreciated.
Many thanks!
UI Error :
The user does not exist or is not unique.
Troubleshoot issues with Microsoft SharePoint Foundation.
Correlation ID: f1316949-ab9d-4d01-9d7b-f1607fd85466
Date and Time: 5/14/2012 9:52:
ULS log:
05/14/2012 09:51:55.02 w3wp.exe (0x1A68) 0x1888 SharePoint Foundation Monitoring b4ly High Leaving Monitored Scope (SPClaimProviderOperations.ResolveClaim()). Execution Time=17190.6148686495 f1316949-ab9d-4d01-9d7b-f1607fd85466
05/14/2012 09:51:55.12 w3wp.exe (0x1A68) 0x1888 SharePoint Foundation General 72e1 High Unable to get domain DNS or forest DNS for domain DOMAINNAME. ErrorCode=1355 f1316949-ab9d-4d01-9d7b-f1607fd85466
05/14/2012 09:51:55.12 w3wp.exe (0x1A68) 0x1888 SharePoint Foundation General 75yj Medium Error in resolving user 'DOMAINNAME\USERNAME' : System.ArgumentException: Specified value is not supported for the {0} parameter. at Microsoft.SharePoint.Utilities.SPUserUtility.GetDomainControllerToSearch(SPWebApplication webApp, String domainName) at Microsoft.SharePoint.Utilities.SPActiveDirectoryPrincipalBySIDResolver.ResolvePrincipal(String input, Boolean inputIsEmailOnly, SPPrincipalType scopes, SPPrincipalSource sources, SPUserCollection usersContainer) at Microsoft.SharePoint.Utilities.SPUtility.ResolveWindowsPrincipal(SPWeb web, SPWebApplication webApp, String input, SPPrincipalType scopes, Boolean inputIsEmailOnly). f1316949-ab9d-4d01-9d7b-f1607fd85466
------------------------------------------------------------------------------------
05/14/2012 09:52:03.79 w3wp.exe (0x1A68) 0x1888 SharePoint Foundation Monitoring b4ly High Leaving Monitored Scope (SPClaimProvider.FillResolveClaim()#2). Execution Time=8679.56981962791 f1316949-ab9d-4d01-9d7b-f1607fd85466
05/14/2012 09:52:03.79 w3wp.exe (0x1A68) 0x1888 SharePoint Foundation Monitoring b4ly High Leaving Monitored Scope (SPClaimProviderOperations.ResolveClaim()#1). Execution Time=8679.88396569955 f1316949-ab9d-4d01-9d7b-f1607fd85466
05/14/2012 09:52:03.81 w3wp.exe (0x1A68) 0x1888 SharePoint Foundation General 8kh7 High The user does not exist or is not unique. f1316949-ab9d-4d01-9d7b-f1607fd85466
05/14/2012 09:52:03.82 w3wp.exe (0x1A68) 0x1888 SharePoint Foundation Runtime tkau Unexpected System.Runtime.InteropServices.COMException: The user does not exist or is not unique. at Microsoft.SharePoint.Library.SPRequestInternalClass.UpdateMembers(String bstrUrl, UInt32 dwObjectType, String bstrObjId, Guid& pguidScopeId, Int32 lGroupID, Int32 lGroupOwnerId, Object& pvarArrayAdd, Object& pvarArrayAddIds, Object& pvarArrayLoginsRemove, Object& pvarArrayIdsRemove, Boolean bRemoveFromCurrentScopeOnly, Boolean bSendEmail) at Microsoft.SharePoint.Library.SPRequest.UpdateMembers(String bstrUrl, UInt32 dwObjectType, String bstrObjId, Guid& pguidScopeId, Int32 lGroupID, Int32 lGroupOwnerId, Object& pvarArrayAdd, Object& pvarArrayAddIds, Object& pvarArrayLoginsRemove, Object& pvarArrayIdsRemove, Boolean bRemoveFromCurrentScopeOnly, Boolean bSendEmail) f1316949-ab9d-4d01-9d7b-f1607fd85466
05/14/2012 09:52:04.01 w3wp.exe (0x1A68) 0x1888 SharePoint Foundation Monitoring b4ly Medium Leaving Monitored Scope (Request (POST:http://claims.SITEurl:80/_layouts/aclinv.aspx?GroupId=8&IsDlg=1)). Execution Time=26207.1480453521 f1316949-ab9d-4d01-9d7b-f1607fd85466
BlueSky2010
Please help and appreciate others by using these features: "Propose As Answer", "Vote As Helpful" and "Mark As Answer"- Edited by BlueSky2010 Monday, May 14, 2012 8:21 PM
All Replies
-
Wednesday, May 16, 2012 7:27 AM
Please check setup of your WebApps. Check how many STS Providers your WebApp have. It might be pointing to the wrong STS Provider, which is causing the user to be not added to the group.
-
Thursday, May 17, 2012 12:32 PM
Hi IT Integrator,
Would you give me some pointer how would I check the STS Prividers? We're using out of the box claims provider and have not specified anything custom so far.
Thank you!
BlueSky2010
Please help and appreciate others by using these features: "Propose As Answer", "Vote As Helpful" and "Mark As Answer" -
Friday, May 18, 2012 3:55 AM
msdn.microsoft.com/en-us/library/ff955607.aspx
http://technet.microsoft.com/en-us/library/cc961803.aspx
http://go4answers.webhost4life.com/Example/people-picker-gets-error-selecting-user-82087.aspx
-
Friday, May 18, 2012 5:30 PM
Thanks IT Integrator - I'm still not convinced why I need to create a custom STS provider :-)
When turned off customerrors get a slightly different version of the error message on the UI:
Note: this is ONLY happening when I try to permission a user from a different forest. Any suggestions would be greatly appreciated!!!
====================================
Server Error in '/' Application.
--------------------------------------------------------------------------------The user does not exist or is not unique.<nativehr>0x81020054</nativehr><nativestack></nativestack>
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.Exception Details: System.Runtime.InteropServices.COMException: The user does not exist or is not unique.<nativehr>0x81020054</nativehr><nativestack></nativestack>
Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
Stack Trace:
[COMException (0x81020054): The user does not exist or is not unique.<nativehr>0x81020054</nativehr><nativestack></nativestack>]
Microsoft.SharePoint.Library.SPRequestInternalClass.EnsureUserExists(String bstrUrl, String bstrLogin, String bstrEmail, String bstrName, String bstrNotes, String bstrMobilePhone, Int32 lFlags, Boolean bIsRole, Boolean bSendEmail, Boolean bForceAdd, Byte[]& ppsaSystemId, Boolean bImportDeleted, Int32& plUserId) +0
Microsoft.SharePoint.Library.SPRequest.EnsureUserExists(String bstrUrl, String bstrLogin, String bstrEmail, String bstrName, String bstrNotes, String bstrMobilePhone, Int32 lFlags, Boolean bIsRole, Boolean bSendEmail, Boolean bForceAdd, Byte[]& ppsaSystemId, Boolean bImportDeleted, Int32& plUserId) +252[SPException: The user does not exist or is not unique.]
Microsoft.SharePoint.SPGlobal.HandleComException(COMException comEx) +27674658
Microsoft.SharePoint.Library.SPRequest.EnsureUserExists(String bstrUrl, String bstrLogin, String bstrEmail, String bstrName, String bstrNotes, String bstrMobilePhone, Int32 lFlags, Boolean bIsRole, Boolean bSendEmail, Boolean bForceAdd, Byte[]& ppsaSystemId, Boolean bImportDeleted, Int32& plUserId) +28061206
Microsoft.SharePoint.SPRoleAssignmentCollection.AddInternal(SPRoleAssignment roleAssignment, Boolean addToCurrentScopeOnly, Boolean allowAddToLimitedAccess) +371
Microsoft.SharePoint.ApplicationPages.AclInv.BtnOK_Click(Object sender, EventArgs e) +996
System.Web.UI.WebControls.Button.OnClick(EventArgs e) +115
System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument) +140
System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument) +29
System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +2981BlueSky2010
Please help and appreciate others by using these features: "Propose As Answer", "Vote As Helpful" and "Mark As Answer" -
Thursday, May 24, 2012 6:50 PM
Does the people picker actually resolve the domain user? By default, SharePoint will only search for users in the forest the SharePoint server is joined to. To search another trusted forest or domain, you need to tell it to do so specifically, using a user account from the trusted forest/domain. Here is what I did to accomplish this:
Run the following on each server in the farm:
stsadm -o setapppassword -password password
Where password is the encryption account password to be used for all servers in the SharePoint farm. This can be any password desired, but it must be consistent across all servers.
Run the following on each WFE in the farm:
stsadm -o setproperty -pn peoplepicker-searchadforests -pv domain:<domain of SharePoint server>;domain:<trusted domain>,domain\username,password -url http://webappurl
Where domain\username,password is the service account username and password used to perform LDAP lookups.
Set permissions on the Secure registry key on EVERY machine in the farm, granting the LOCAL WSS_WPG group read access:
Open Registry Editor
Navigate to : HKEY_Local_Machine\SOFTWARE\Microsoft\Shared Tools\Web Server Extensions\14.0\Secure
Right-click Secure, select Permissions
Click Add
Find the local WSS_WPG group
Select Read access
Click OK out of the dialogs
-
Thursday, May 24, 2012 7:10 PM
Hi DubaStep,
Yes - peoplepicker resolves the names from other forests fine. We get that error message when we hit the 'OK' button to actually assign the permission. Interestingly I can permission AD groups BUT not users from the OTHER forests.
You needed that user account bacause you don't have two way trust present - that is not the case here though.
Thank you!
BlueSky2010
Please help and appreciate others by using these features: "Propose As Answer", "Vote As Helpful" and "Mark As Answer" -
Friday, May 25, 2012 8:19 PMYup, you are right...it was because of the one-way trust. Coincidentally, I'm having the same issue using a custom claims provider at the moment.
-
Friday, May 25, 2012 9:00 PM
hmm...
Just curious what was the reason for you creating the custom Claims provider?
See I was debating with IT ingetrator saying the PeoplePicker permissioning should work with OOB SharePoint claims provider. Am I wrong here?
Unfortunately no Microsoft response on this.
BlueSky2010
Please help and appreciate others by using these features: "Propose As Answer", "Vote As Helpful" and "Mark As Answer" -
Wednesday, May 30, 2012 7:29 PM
We have external (non-AD) users in a DB2 database that we needed to authenticate in SharePoint. What I ended up doing was retracting the wsp and redeploying, then enabling both the custom claims provider (SiteMinder) and the Windows integrated and that worked. Not sure which of those steps fixed it (probably the redeploy) but it works now.
Your situation is a little different than mine though. Same error, but different reason in the ULS logs.
05/29/2012 14:48:58.75 w3wp.exe (0x091C) 0x11E0 CA SiteMinder ClaimProvider 0000 High SiteMinderClaimProvider::FillResolve - SPClaim() Failed to retrieve login provider collection. fa56c1b7-f41a-4e27-9a22-4ee2172abc4a
05/29/2012 14:48:58.75 w3wp.exe (0x091C) 0x11E0 SharePoint Foundation General 8kh7 High The user does not exist or is not unique. fa56c1b7-f41a-4e27-9a22-4ee2172abc4a
And yes, you are correct, people picker should work with the OOB claims provider. Do you need to use claims though? The only reason I am is because of the non-AD user store I have to connect to. Since you have a two-way trust, I would think you could just use classic w/kerberos no? I know the recommended Microsoft way is to use claims whenever possible, but most reasons I see to use claims come from doing something like I'm doing with external users, or having to use authentication methods that aren't AD based.
One question though...the Unable to get domain DNS or forest DNS for domain error you are getting. Does the other domain have the same forest and netbios names?
-
Wednesday, June 06, 2012 3:09 PM
Thanks DubaStep for sharing your scenario.
Yea we had big debate on Classic Vs Claims but then people are more inclined towords future proofing :-) Also some of the service applications require Claims (e.g. Excel services, performance point, InfoPath and Visio).
Names aren't consistent across forests that is one of the things MS Premier guys pointed but no resolution from that call yet (burning tons of hours). Some of the display names has comma (,) and they thought that could be an issue. But the odd part is everything works fine in Classic with Kerberos. You would expect they would have an answer.
BlueSky2010
Please help and appreciate others by using forum features: "Propose As Answer", "Vote As Helpful" and "Mark As Answer" -
Thursday, June 07, 2012 7:21 PM
BlueSky, we're getting the same issue in our SP2010 environment.
The environment is setup with Claims and Kerberos, and following what was mentioned in other forums we too tried granting permissions to an account which did not contain a comma or special characters in the display name - but had same results.
Granting permissions to users within the local forest (whether the account contained special characters in the display name or not) worked successfully, with no issues. The problem seems to occur only with users in other forests (yes - two way trust is setup correctly and ports are open)
I'm surprised that more people have not posted about this...
