Web.SiteUsers contains login name twice on Claims based Web App RRS feed

  • Question

  • Hello,

    i am developing a solution that ought to work for classic mode auth as well as claims based auth. Now i have a service that programmatically sets a PeoplePicker [Assigned To] based on the login name from our DB.

    In a claims based App, when filtering elements in the list by [Assigned To] equals [Me], no elements returned although elements are assigned to the correct user (so i thought). I found out that the user ID was wrong. Tracing the Web.SiteUsers revealed the following two matches for the user:

    User ID [3] LoginName [DOMAIN\]
    User ID [1] LoginName [i:0#.w|DOMAIN\]

    When editing the item in Sharepoint, the User with ID 1 is set and the filter works.

    But when i try to get the user from the Web by login name:

        SPUser oUser = oItem.Web.SiteUsers["DOMAIN\"];

        SPUser oUser = oItem.Web.EnsureUser("DOMAIN\");

    the User with ID 3 is returned and the filter doesn't return the item.

    So, now the question is

    (a) WHY are there two entries for the user, one of which seems to be a claim and one doesn't

    (b) HOW to ensure the correct user is returned based on the login name?

    Any help is greatly appreciated!

    Kind Regards,


    Friday, June 3, 2011 9:11 AM


All replies

  • There are not two entries for one user. DOMAIN\ is a different user than i#0.w|DOMAIN\ The first is Windows auth and the second claims auth. But they are different identitites and thus different users. It seems to me that someone logged into the site as each of those users at some point.


    Author, Professional Business Connectivity Services
    Author, Inside SharePoint 2010 Blog,
    Twitter, @ScotHillier
    SharePoint Trainer, Critical Path Training
    Friday, June 3, 2011 10:11 AM
  • Scot,

    i wouldn't expect that it's possible to logon to a claims based site using Windows auth. Well, somehow it seems to be. Might this happen if a WCF service opens Sharepoint via Impersonation?

    Nevertheless, i advanced a little bit. I wrote a method to return the Claims SPUser instead of the Windows auth user. Here goes:

        public static SPUser GetSPUser(SPWeb oWeb, String strSystemAccount)
          String strToken = strSystemAccount;
          SPUser oUser = null;
          if (!String.IsNullOrEmpty(strSystemAccount))
            if (oWeb.Site.WebApplication.UseClaimsAuthentication)
                SPClaimProviderManager mgr = SPClaimProviderManager.Local;
                if (mgr != null)
                  // TODO: doesn't work for SYSTEM account!!
                  SPClaim userLogonNameClaim = mgr.DecodeClaim(oWeb.CurrentUser.LoginName);
                  SPClaim claim = new SPClaim(SPClaimTypes.UserLogonName,
                  strToken = mgr.EncodeClaim(claim);
              catch (Exception ex)
                GlobalMethodes.Trace("GetSPUser", GlobalMethodes.TraceLevelWarning, "GetSPUser({0}) Exception {1}", strSystemAccount, ex.Message);
            oUser = oWeb.EnsureUser(strToken);
          return oUser;

    I use the claim from the CurrentUser to have a generic way to the OriginalIssuer, but i found out that the DecodeClaim fails for the SYSTEM account. Is there any other (better) way to obtain the OriginalIssuer? I am still new to claims...




    Friday, June 3, 2011 2:16 PM
  • I don't think that SharePoint would record these two accounts for one person, but if you do not have Windows auth enabled as well, then it's puzzling. I suppose it's worth an experiment to logon with a test user and see if both entries are made in the user list.


    Author, Professional Business Connectivity Services
    Author, Inside SharePoint 2010 Blog,
    Twitter, @ScotHillier
    SharePoint Trainer, Critical Path Training
    Friday, June 3, 2011 3:32 PM
  • In fact, I do have Windows Auth enabled for a different Sharepoint App on the Farm.

    What i am stuck with now is: For my code example above, if the WCF Service opens Sharepoint as SHAREPOINT\system, the line marked with "TODO" returns the error:

    Exception of type 'System.ArgumentException' was thrown.
    Parameter name: value

    So, since i don't get a Claim from the System user, assuming that i only have one Claim Provider, what would be the best advised way to obtain a Claim for a specific login name (i.e. DOMAIN\

    With best regards,


    Monday, June 6, 2011 9:54 AM
  • Hi Vielfrass,


    For your issue, you are right, you could convert claim to login name programmatically. Please refer to :


    In addition, System Account is a special user account, it seems that it has nothing to do with claim based authentication. Here is a similar thread I encountered:



    Porter Wang

    • Marked as answer by KeFang Chen Friday, June 10, 2011 2:43 AM
    Wednesday, June 8, 2011 2:27 AM