locked
The user does not exist or is not unique - Claims and Kerberos authenticated site RRS feed

  • Question

  • Hi everyone,

    When using Claims/ Kerberos authentication with SharePoint 2010 (SP 1) - unable to permission a user
    from a trusted domain (2 way). Get "The user does not exist or is not unique" error.

    I can permission these domain users on a network share (on the SharePoint server) fine. And also from the
    same SharePoint server we can add these people to a Classic/Kerberos site or
    Claims/ ntlm site. 

    Tried disabling policy "Domain member: Digitally encrypt or sign secure channel data (always)" - as per this blog with no luck.

    We've peoplepicker-searchadforests pointed to the forest and have GC port 3268 open.

    Any suggestions would be greatly appreciated.

    Many thanks!

    UI Error :

    The user does not exist or is not unique.

    Troubleshoot issues with Microsoft SharePoint Foundation.

    Correlation ID: f1316949-ab9d-4d01-9d7b-f1607fd85466

    Date and Time: 5/14/2012 9:52:

    ULS log:

    05/14/2012 09:51:55.02              w3wp.exe (0x1A68)                                       0x1888       SharePoint Foundation              Monitoring                                    b4ly              High                            Leaving Monitored Scope (SPClaimProviderOperations.ResolveClaim()). Execution Time=17190.6148686495            f1316949-ab9d-4d01-9d7b-f1607fd85466

    05/14/2012 09:51:55.12              w3wp.exe (0x1A68)                                       0x1888       SharePoint Foundation              General                                          72e1            High                            Unable to get domain DNS or forest DNS for domain DOMAINNAME. ErrorCode=1355                   f1316949-ab9d-4d01-9d7b-f1607fd85466

    05/14/2012 09:51:55.12              w3wp.exe (0x1A68)                                       0x1888       SharePoint Foundation              General                                          75yj                        Medium    Error in resolving user 'DOMAINNAME\USERNAME' : System.ArgumentException: Specified value is not supported for the {0} parameter.     at Microsoft.SharePoint.Utilities.SPUserUtility.GetDomainControllerToSearch(SPWebApplication webApp, String domainName)     at Microsoft.SharePoint.Utilities.SPActiveDirectoryPrincipalBySIDResolver.ResolvePrincipal(String input, Boolean inputIsEmailOnly, SPPrincipalType scopes, SPPrincipalSource sources, SPUserCollection usersContainer)     at Microsoft.SharePoint.Utilities.SPUtility.ResolveWindowsPrincipal(SPWeb web, SPWebApplication webApp, String input, SPPrincipalType scopes, Boolean inputIsEmailOnly).                        f1316949-ab9d-4d01-9d7b-f1607fd85466

    ------------------------------------------------------------------------------------

    05/14/2012 09:52:03.79              w3wp.exe (0x1A68)                                       0x1888       SharePoint Foundation              Monitoring                                    b4ly              High                            Leaving Monitored Scope (SPClaimProvider.FillResolveClaim()#2). Execution Time=8679.56981962791                         f1316949-ab9d-4d01-9d7b-f1607fd85466

    05/14/2012 09:52:03.79              w3wp.exe (0x1A68)                                       0x1888       SharePoint Foundation              Monitoring                                    b4ly              High                            Leaving Monitored Scope (SPClaimProviderOperations.ResolveClaim()#1). Execution Time=8679.88396569955      f1316949-ab9d-4d01-9d7b-f1607fd85466

    05/14/2012 09:52:03.81              w3wp.exe (0x1A68)                                       0x1888       SharePoint Foundation              General                                          8kh7             High                            The user does not exist or is not unique. f1316949-ab9d-4d01-9d7b-f1607fd85466

    05/14/2012 09:52:03.82              w3wp.exe (0x1A68)                                       0x1888       SharePoint Foundation              Runtime                                         tkau                        Unexpected                    System.Runtime.InteropServices.COMException: The user does not exist or is not unique.    at Microsoft.SharePoint.Library.SPRequestInternalClass.UpdateMembers(String bstrUrl, UInt32 dwObjectType, String bstrObjId, Guid& pguidScopeId, Int32 lGroupID, Int32 lGroupOwnerId, Object& pvarArrayAdd, Object& pvarArrayAddIds, Object& pvarArrayLoginsRemove, Object& pvarArrayIdsRemove, Boolean bRemoveFromCurrentScopeOnly, Boolean bSendEmail)     at Microsoft.SharePoint.Library.SPRequest.UpdateMembers(String bstrUrl, UInt32 dwObjectType, String bstrObjId, Guid& pguidScopeId, Int32 lGroupID, Int32 lGroupOwnerId, Object& pvarArrayAdd, Object& pvarArrayAddIds, Object& pvarArrayLoginsRemove, Object& pvarArrayIdsRemove, Boolean bRemoveFromCurrentScopeOnly, Boolean bSendEmail)         f1316949-ab9d-4d01-9d7b-f1607fd85466

    05/14/2012 09:52:04.01              w3wp.exe (0x1A68)                                       0x1888       SharePoint Foundation              Monitoring                                    b4ly                        Medium    Leaving Monitored Scope (Request (POST:http://claims.SITEurl:80/_layouts/aclinv.aspx?GroupId=8&IsDlg=1)). Execution Time=26207.1480453521           f1316949-ab9d-4d01-9d7b-f1607fd85466


    BlueSky2010
    Please help and appreciate others by using these features: "Propose As Answer", "Vote As Helpful" and "Mark As Answer"


    Monday, May 14, 2012 8:19 PM

All replies

  • Please check setup of your WebApps. Check how many STS Providers your WebApp have. It might be pointing to the wrong STS Provider, which is causing the user to be not added to the group.

    Wednesday, May 16, 2012 7:27 AM
  • Hi IT Integrator,

    Would you give me some pointer how would I check the STS Prividers? We're using out of the box claims provider and have not specified anything custom so far.

    Thank you!


    BlueSky2010
    Please help and appreciate others by using these features: "Propose As Answer", "Vote As Helpful" and "Mark As Answer"

    Thursday, May 17, 2012 12:32 PM
  • msdn.microsoft.com/en-us/library/ff955607.aspx

    http://technet.microsoft.com/en-us/library/cc961803.aspx

    http://go4answers.webhost4life.com/Example/people-picker-gets-error-selecting-user-82087.aspx

    Friday, May 18, 2012 3:55 AM
  • Thanks IT Integrator - I'm still not convinced why I need to create a custom STS provider :-)

    When turned off customerrors get a slightly different version of the error message on the UI:

    Note: this is ONLY happening when I try to permission a user from a different forest.  Any suggestions would be greatly appreciated!!!

    ====================================

    Server Error in '/' Application.
    --------------------------------------------------------------------------------

    The user does not exist or is not unique.<nativehr>0x81020054</nativehr><nativestack></nativestack>
    Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

    Exception Details: System.Runtime.InteropServices.COMException: The user does not exist or is not unique.<nativehr>0x81020054</nativehr><nativestack></nativestack>

    Source Error:

    An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below. 

    Stack Trace:


    [COMException (0x81020054): The user does not exist or is not unique.<nativehr>0x81020054</nativehr><nativestack></nativestack>]
       Microsoft.SharePoint.Library.SPRequestInternalClass.EnsureUserExists(String bstrUrl, String bstrLogin, String bstrEmail, String bstrName, String bstrNotes, String bstrMobilePhone, Int32 lFlags, Boolean bIsRole, Boolean bSendEmail, Boolean bForceAdd, Byte[]& ppsaSystemId, Boolean bImportDeleted, Int32& plUserId) +0
       Microsoft.SharePoint.Library.SPRequest.EnsureUserExists(String bstrUrl, String bstrLogin, String bstrEmail, String bstrName, String bstrNotes, String bstrMobilePhone, Int32 lFlags, Boolean bIsRole, Boolean bSendEmail, Boolean bForceAdd, Byte[]& ppsaSystemId, Boolean bImportDeleted, Int32& plUserId) +252

    [SPException: The user does not exist or is not unique.]
       Microsoft.SharePoint.SPGlobal.HandleComException(COMException comEx) +27674658
       Microsoft.SharePoint.Library.SPRequest.EnsureUserExists(String bstrUrl, String bstrLogin, String bstrEmail, String bstrName, String bstrNotes, String bstrMobilePhone, Int32 lFlags, Boolean bIsRole, Boolean bSendEmail, Boolean bForceAdd, Byte[]& ppsaSystemId, Boolean bImportDeleted, Int32& plUserId) +28061206
       Microsoft.SharePoint.SPRoleAssignmentCollection.AddInternal(SPRoleAssignment roleAssignment, Boolean addToCurrentScopeOnly, Boolean allowAddToLimitedAccess) +371
       Microsoft.SharePoint.ApplicationPages.AclInv.BtnOK_Click(Object sender, EventArgs e) +996
       System.Web.UI.WebControls.Button.OnClick(EventArgs e) +115
       System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument) +140
       System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument) +29
       System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +2981


    BlueSky2010
    Please help and appreciate others by using these features: "Propose As Answer", "Vote As Helpful" and "Mark As Answer"

    Friday, May 18, 2012 5:30 PM
  • Does the people picker actually resolve the domain user?  By default, SharePoint will only search for users in the forest the SharePoint server is joined to.  To search another trusted forest or domain, you need to tell it to do so specifically, using a user account from the trusted forest/domain.  Here is what I did to accomplish this:

    Run the following on each server in the farm:

    stsadm -o setapppassword -password password

    Where password is the encryption account password to be used for all servers in the SharePoint farm.  This can be any password desired, but it must be consistent across all servers.

    Run the following on each WFE in the farm:

    stsadm -o setproperty -pn peoplepicker-searchadforests -pv domain:<domain of SharePoint server>;domain:<trusted domain>,domain\username,password -url http://webappurl

    Where domain\username,password is the service account username and password used to perform LDAP lookups.

    Set permissions on the Secure registry key on EVERY machine in the farm, granting the LOCAL WSS_WPG group read access:

    Open Registry Editor

    Navigate to :  HKEY_Local_Machine\SOFTWARE\Microsoft\Shared Tools\Web Server Extensions\14.0\Secure

    Right-click Secure, select Permissions

    Click Add

    Find the local WSS_WPG group

    Select Read access

    Click OK out of the dialogs

    Thursday, May 24, 2012 6:50 PM
  • Hi DubaStep,

    Yes - peoplepicker resolves the names from other forests fine. We get that error message when we hit the 'OK' button to actually assign the permission. Interestingly I can permission AD groups BUT not users from the OTHER forests.

    You needed that user account bacause you don't have two way trust present - that is not the case here though.

    Thank you!


    BlueSky2010
    Please help and appreciate others by using these features: "Propose As Answer", "Vote As Helpful" and "Mark As Answer"

    Thursday, May 24, 2012 7:10 PM
  • Yup, you are right...it was because of the one-way trust.  Coincidentally, I'm having the same issue using a custom claims provider at the moment.
    Friday, May 25, 2012 8:19 PM
  • hmm...

    Just curious what was the reason for you creating the custom Claims provider?

    See I was debating with IT ingetrator saying the PeoplePicker permissioning should work with OOB SharePoint claims provider. Am I wrong here?

    Unfortunately no Microsoft response on this.


    BlueSky2010
    Please help and appreciate others by using these features: "Propose As Answer", "Vote As Helpful" and "Mark As Answer"

    Friday, May 25, 2012 9:00 PM
  • We have external (non-AD) users in a DB2 database that we needed to authenticate in SharePoint.  What I ended up doing was retracting the wsp and redeploying, then enabling both the custom claims provider (SiteMinder) and the Windows integrated and that worked.  Not sure which of those steps fixed it (probably the redeploy) but it works now.

    Your situation is a little different than mine though.  Same error, but different reason in the ULS logs.

    05/29/2012 14:48:58.75 w3wp.exe (0x091C)                       0x11E0  CA SiteMinder                   ClaimProvider                    0000       High                    SiteMinderClaimProvider::FillResolve - SPClaim() Failed to retrieve login provider collection.        fa56c1b7-f41a-4e27-9a22-4ee2172abc4a

    05/29/2012 14:48:58.75 w3wp.exe (0x091C)                       0x11E0  SharePoint Foundation                 General                                       8kh7      High       The user does not exist or is not unique.               fa56c1b7-f41a-4e27-9a22-4ee2172abc4a

    And yes, you are correct, people picker should work with the OOB claims provider.  Do you need to use claims though?  The only reason I am is because of the non-AD user store I have to connect to.  Since you have a two-way trust, I would think you could just use classic w/kerberos no?  I know the recommended Microsoft way is to use claims whenever possible, but most reasons I see to use claims come from doing something like I'm doing with external users, or having to use authentication methods that aren't AD based.

    One question though...the Unable to get domain DNS or forest DNS for domain error you are getting.  Does the other domain have the same forest and netbios names?

    Wednesday, May 30, 2012 7:29 PM
  • Thanks DubaStep for sharing your scenario.

    Yea we had big debate on Classic Vs Claims but then people are more inclined towords future proofing :-) Also some of the service applications require Claims (e.g. Excel services, performance point, InfoPath and Visio).

    Names aren't consistent across forests that is one of the things MS Premier guys pointed but no resolution from that call yet (burning tons of hours). Some of the display names has comma (,) and they thought that could be an issue. But the odd part is everything works fine in Classic with Kerberos. You would expect they would have an answer.


    BlueSky2010
    Please help and appreciate others by using forum features: "Propose As Answer", "Vote As Helpful" and "Mark As Answer"

    Wednesday, June 6, 2012 3:09 PM
  • BlueSky, we're getting the same issue in our SP2010 environment.

    The environment is setup with Claims and Kerberos, and following what was mentioned in other forums we too tried granting permissions to an account which did not contain a comma or special characters in the display name - but had same results.

    Granting permissions to users within the local forest (whether the account contained special characters in the display name or not) worked successfully, with no issues. The problem seems to occur only with users in other forests (yes - two way trust is setup correctly and ports are open)

    I'm surprised that more people have not posted about this...

    Thursday, June 7, 2012 7:21 PM