Click here to Skip to main content
12,758,901 members (34,761 online)
Click here to Skip to main content
Add your own
alternative version

Tagged as


1 bookmarked
Posted 10 Aug 2013

SharePoint Claims Based Web Application Shows the Identity “NT Authority\IUSR” Instead of the Logged in User

, 10 Aug 2013 CPOL
Rate this:
Please Sign up or sign in to vote.
Sharepoint claims based web application shows the identity "NT Authority\IUSR" instead of the logged in user


Recently, I worked on a SharePoint project which used a Claims based web application. One of the web parts was calling a custom web service hosted in ISAPI folder of SharePoint. The call was made via a server side proxy using C# code. And this particular design resulted in quite a big challenge. While calling the web service from a web part using a service proxy, I noticed that the user account being passed to the web service is NT Authority\IUSR.

Claims Based Issue (2)

On the other hand, if I created a site collection under Windows Authenticated web application and deploy the web parts in this site collection; the behavior is different (and desired), i.e., the web parts communicate to the web service which is still deployed under Claims based web application. With this design, the identity in web service is the same as that of logged in user.

Claims Based Issue (1)


The closest issue I found someone else had was Danny Hansen, atleast in terms of the error message. But unfortunately, the resolution did not seem to help me in my issue.

After doing some more rounds of trial and errors with some research, I came to know about Claims to Windows Token Service. Basically, in claims mode, the WindowsIdentity of the user does not exist because it is created as a IClaimsIdentity (that is, in .NET 3.5, an interface that inherits IIdentity). For this reason, developer must call a special .NET WCF service called C2WTS (claims to Windows token service) that will return a WindowsIdentity that can be used for delegation. It is a .NET service that is configured in SharePoint and the procedure to configure it is quite long and must be carefully followed, otherwise it will not work. Configuration step by step is available here.

For the web service to work, below is the code I modified to implement what I describe above:

using (WindowsImpersonationContext ctxt = 
	//Call the web service here...

public static WindowsIdentity GetWindowsIdentityFromClaimsToken()
	WindowsIdentity wi = null;

	// Run this portion of code as application pool account, 
	// so that C2WTS service is called as this account
		// Get the UPN value of the user from the UPN claim type
		IClaimsIdentity identity = (ClaimsIdentity)Thread.CurrentPrincipal.Identity;
		string upn = null;
		foreach (Microsoft.IdentityModel.Claims.Claim claim in identity.Claims.Where
		(claim => StringComparer.Ordinal.Equals(ClaimTypes.Upn, claim.ClaimType)))
			upn = claim.Value;

		if (upn == null)
			throw new Exception(string.Format("Cannot Impersonate {0} 
			since he doesn't have a UPN in his claims", 

		// Get a WindowsIdentity from the UPN of the user by calling C2WTS service
			wi = S4UClient.UpnLogon(upn);
		catch (System.Exception ex)
			throw new Exception(string.Format
			("Impersonation failed. Message: {0}", ex.Message));

	return wi;

The function GetWindowsIdentityFromClaimsToken basically returns the Windows token from Claims Token. To read more about C2WTS, here is a link to the MSDN documentation:

The post SharePoint Claims based web application shows the identity “NT Authority\IUSR” instead of the logged in user appeared first on Manas Bhardwaj's Stream.


This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)


About the Author

Manas Bhardwaj
Netherlands Netherlands

Read my personal blog at

You may also be interested in...


Comments and Discussions

-- There are no messages in this forum --
Permalink | Advertise | Privacy | Terms of Use | Mobile
Web02 | 2.8.170217.1 | Last Updated 10 Aug 2013
Article Copyright 2013 by Manas Bhardwaj
Everything else Copyright © CodeProject, 1999-2017
Layout: fixed | fluid