Paul Liebrand's Weblog

Welcome to my blog mainly about SharePoint

Skip to: Content | Sidebar | Footer

Google Search

Claims / Domain Users via Object Model Cautions

23 September, 2013 (10:15) | SharePoint | By: Liebrand

SharePoint 2010 and SharePoint 2013 have moved over to claims based authentication hast he recommended authentication method. If you do any programming against the object model here are a few things you need to be aware of.

Consider the following scenario:

  • The web application is setup for claims based authentication.
  • You have a user account mydomain\user1.
  • You are programmatically added them to the site collection.

The code made look something like this:

using (var site = new SPSite("http://mysharepointsite"))
{
    using (var web = site.OpenWeb())
    {
        web.SiteUsers.Add("mydomain\\user1", "[email protected]", null, null);
    }
}

 

SharePoint will actually add mydomain\user1 to the site collection and when given the appropriate access, the user will be denied access. Why? Because the Add method does not convert the domain\user to a claims login.

Consider the following code:

using (var site = new SPSite("http://mysharepointsite"))
{
    using (var web = site.OpenWeb())
    {
        web.EnsureUser("mydomain\\user1");
    }
}

 

SharePoint will actually convert this to a claims login and store i:0#.w|mydomain\user1 and the user will be able to access the site without any issues.

The indexers of objects such as AllUsers and SiteUsers will only work if you pass in the appropriate login.

The following example shows a common scenario that will fail:

using (var site = new SPSite("http://mysharepointsite"))
{
    using (var web = site.OpenWeb())
    {
        web.EnsureUser("mydomain\\user1");

        SPUser matchingUser;
        matchingUser = web.SiteUsers["mydomain\\user1"]; // This will throw a User Not Found exception
        matchingUser = web.SiteUsers["i:0#.w|mydomain\\user1"]; // this will find the matching user
    }
}

 

The first matching user line will generate a Microsoft.SharePoint.SPException: User cannot be found whereas the the second one will find the user correctly.

There is a great write up on TechNet wiki that explains SharePoint 2010 and SharePoint 2013 Claims encoding. Give it a read: http://social.technet.microsoft.com/wiki/contents/articles/13921.sharepoint-2013-and-sharepoint-2010-claims-encoding.aspx


Post to Twitter Post to Delicious Post to Digg Post to Facebook Post to Reddit