No windows identity for Domain Name\User

I have recently upgraded SharePoint 2013 farm from RTM to SP1. I am repeatedly getting errors  No windows
identity for Domain Name\User in ULS log. Some users who was earlier able to access to site is not able to access site. 
Please remember to mark the replies as answers or vote as helpful if they help.

Few questions to quickly check with you..
1. Have you re-run your SharePoint Configuration Wizard after you upgraded from RTM to SP1? Its very important to re-run SharePoint Configuration Wizard to ensure SharePoint Config DB is updated with latest changes in the farm.
2. If you have performed the above step but still face issues, have you restarted your SharePoint Server after re-running your SharePoint Configuration Wizard? If not please restart the server.
3. If not anyone of the above, then have you changed your authentication type for your web application in Central Admin. Example, from Classic Authentication to Claim Based Authentication?
Please remember to click 'Mark as Answer' if the reply answers your query or 'Upvote' if it helps you.

Similar Messages

  • SPSecurityContext.WindowsIdentity: Could not retrieve a valid windows identity. No windows identity for domain\user.

    Hi,
    We get plenty of error messages:
    SPSecurityContext.WindowsIdentity: Could not retrieve a valid windows identity.
    No windows identity for domain\user.
    Our SharePoint 2010 environment consists of 2 app and 2 front end servers. We have plenty of SPSecurityContext.WindowsIdentity errors in our SharePoint logs. I found that this is related to C2WTS service. We have this service running under Local System account
    and only running on both Front-end servers. We are not using Kerberos in our environment.
    My question is should this service be configured with domain account even we are not using Kerberos?
    Also should this server be started on App sharepoint servers?
    Is any other way to prevent those errors?
    Thank you,

    Since local accounts are unable to query the domain, and I suspect that the Local System account uses a virtual local account (as opposed to the computer's domain account), then the same would apply to your C2WTS.
    Yes, configure a domain account (DEDICATED, since C2WTS requires some VERY elevated privileges), and the C2WTS will be able to do all of its domain lookups.
    Scott Brickey
    MCTS, MCPD, MCITP
    www.sbrickey.com
    Strategic Data Systems - for all your SharePoint needs

  • User Logon Name (pre-Windows 2000) and Domain Name Don't have the same Value

    Hi
    is it possible to have User Logon Name (pre-Windows 2000) and Domain Name with different value?
    Exemple:
    domain name domain1.com
    and User Logon Name (pre-Windows 2000) Domain2\user

    If you have trust in place, then also you can use trusted domain name to login from trustee domain. Also, UPN suffix can be added.
    http://technet.microsoft.com/en-us/library/cc773178%28v=ws.10%29.aspx
    Awinish Vishwakarma - MVP
    My Blog: awinish.wordpress.com
    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

  • Claims debacle (error) with Term Store: "Could not retrieve a valid windows identity" for all sites in a particular web app.

    When I pull up the Term store in CA or any MySite collection, it works.
    When I do so in any other site collection (HNSCs, incidentally), It doesn't return any term stores.
    My ULS log immediately before and after the "/_vti_bin/taxonomyinternalservice.json/CheckPermission" POST on termstore .aspx triggers the WCF call:
    Claims Authentication af30y Verbose Claims Windows Sign-In: Successfully signed-in the the user 'contoso\domainUser' for request url 'https://sp13-root-prd.contoso.com/_vti_bin/taxonomyinternalservice.json/CheckPermission'.
    Claims Authentication af30q Verbose Updating header 'LOGON_USER' with value '0#.w|contoso\domainUser' for the request url 'https://sp13-root-prd.contoso.com/_vti_bin/taxonomyinternalservice.json/CheckPermission'.
    Authentication Authorization agb9s Medium Non-OAuth request. IsAuthenticated=True, UserIdentityName=0#.w|contoso\domainUser, ClaimsCount=77
    Logging Correlation Data xmnv Medium Site=/
    Topology e5mc Medium WcfSendRequest: RemoteAddress: 'http://CONTOSOFE3:32843/00e6d55691824965ac223f1d1cfae6d2/MetadataWebService.svc' Channel: 'Microsoft.SharePoint.Taxonomy.IMetadataWebServiceApplication' Action: 'http://schemas.microsoft.com/sharepoint/taxonomy/soap/IDataAccessReadOnly/GetChanges2' MessageId: 'urn:uuid:590e916c-c89a-4f89-9819-a82c97fabcaa'
    Claims Authentication bz7l Medium SPSecurityContext: Could not retrieve a valid windows identity for username 'contoso\domainUser' with UPN '[email protected]'. UPN is required when Kerberos constrained delegation is used. Exception: System.ServiceModel.FaultException`1[System.ServiceModel.ExceptionDetail]: WTS0003: The caller is not authorized to access the service. (Fault Detail is equal to An ExceptionDetail, likely created by IncludeExceptionDetailInFaults=true, whose value is: System.UnauthorizedAccessException: WTS0003: The caller is not authorized to access the service. at Microsoft.IdentityModel.WindowsTokenService.CallerSecurity.CheckCaller(WindowsIdentity callerIdentity) at Microsoft.IdentityModel.WindowsTokenService.S4UServiceContract.PerformLogon(Func`1 logonOperation, Int32 pid) at SyncInvokeUpnLogon(Object , Object[] , Object[] ) at System.ServiceModel.Dispatcher.SyncMethodInvoker.Invoke(Object instance, Object[] inputs, Object[]& outputs) at System.ServiceModel.Dispatcher.DispatchOperationRuntime.InvokeBegin(MessageRpc& rpc) at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage5(MessageRpc& rpc) at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage31(MessageRpc& rpc) at System.ServiceModel.Dispatcher.MessageRpc.Process(Boolean isOperationContextSet))..
    Claims Authentication g220 Unexpected No windows identity for contoso\domainUser.
    The "The caller is not authorized to access the service." message seems pertinent.
    Both web apps are using only NTLM auth.
    The url for both web apps ends in the same contoso.com domain. 
    I get the same errors no matter what account I use, including the install account.
    Things I've tried:
    Deleting and building a new HNSC root web app and site. Error happens in all sites in all web apps except the PBSC hosting MySites.
    Giving the root site app pool identity full control of the metadata service app (even though the MySite identitiy doesn't have it)
    Giving the root site app pool identity full permissions on the metadata service app.
    Comparing database and web app config permissions between dev (where everything works perfectly) and prod (where it does not).
    Made sure IIS auth settings on both sites are identical
    Both sites are using the same SSL certificate (though the call to the web service appears to be http)
    Reprovisioned the metadata service app with a new database and new app pool identity.
    Made sure C2WT is running. Tried it with the service stopped as well.
    Web.configs are identical between working and non-working apps.
    I'm stumped but still Googling. I'm hoping to avoid having to call Micrososft. Any help would be appreciated!
    UPDATE:
    Interestingly, when I restored the web application from backup (via CA), I ended up with 3 identical "Windows Authentication" authentication providers assigned to the problem web app. Since there was more than one, I was directed to the provider-chooser
    page when visiting the site. Upon choosing 1 of the 3, I was authenticated, and *poof*, no more authentication errors and the term store loaded term sets as expected.
    Of course, 3 providers was not an ideal state, so I grabbed the one that worked (#1) via get-spauthenticationprovider, and assigned it to the web app via set-spwebapplication, and my problem returned.
    I am currently updating the farm to SP1 from June 2013 CU. Fingers crossed.
    Update:
    The update to SP1 went smoothly, but did not resolve the issue. Also related (I believe) are the random authentication errors when trying to upload images to some libraries, and 401-errors on the accessdenied.aspx page itself.
    Update:
    The problem is resolved, seemingly after making 4 changes. I'm trying to narrow down which change was the cure, if any:
    I installed SP1 on all 6 servers, rebooted and upgraded. This appeared to have no effect.
    Removed an old login from SQL that no longer existed in AD because of this ULS error:
    System.Runtime.InteropServices.COMException: The user or group contoso\svc_xxxxxxxxx' is unknown., StackTrace:    at Microsoft.SharePoint.Utilities.SPUtility.GetFullNameFromLoginEx(String loginName, Boolean&
    bIsDL)
    This login was the identity of the application pool that used to run the web app in question.
    This login was the schema owner of a schema named after itself on every SharePoint database so I changed the schema owner to dbo but left the schema attached.
    The problem may have surfaced initially when the app pool identity was changed in CA, but went unnoticed?
    Note that the web app had been deleted and recreated many times with a new identity and pool to no avail, but the URL remained the same throughout each attempted fix. Relevant?
    Grasping at straws, I changed the app pool identity for this web app to the same one that runs the MySite web app pool as per this only slightly related problem: http://www.planetsharepoint.org/m/preview.php?id=372&rid=34764&author=Vlad+Catrinescu
    I changed the authentication method from NTLM to Negotiate.
    I am rolling back #3 and #4 to see if the issue resurfaces.
    Update:
    It doesn't appear to have been the NTLM/Negotiate setting. Web app is currently set to NTLM and all is well. No strange accessdenies, and term Store is still manageable from all sites.
    Update: Sorry for the delay. I am administering 6 farms these days. Will update as soon as the final phase of rollbacks happens.
    I think I can. I think I can.

    maybe that web app was accidentally created with classic auth?
    here's an example of how to create claims based, with classic, and then "doing 2013" claims
    #Create the example web application, as mentioned above, either with gui, and pick later, or
    New-SPWebApplication-ApplicationPool$applicationPool-ApplicationPoolAccount$serviceAcct-Name$WebApp-Port
    5050
    -databaseName$contentDB-securesocketslayer
    #If doing for 2013
    New-SPWebApplication-ApplicationPool$applicationPool-ApplicationPoolAccount$serviceAcct-Name$WebApp-Port
    5050
    -AuthenticationProvider(new-spauthenticationprovider)
    -databaseName$contentDB-secureSocketsLayer

  • Error: SPSecurityContext.WindowsIdentity: Could not retrieve a valid windows identity for NTName='

    I'm getting the following error, but it only seems to happen with my 'admin' id.  At our company we have a regular user id that we use for daily use that has our email attached to it, and then we have an admin id that has elevated privileges on the
    various systems.
    I haven't found any trace of this error appearing for anyone else in the system, only for my Admin id.  I don't know if it has something to do with not having an Exchange account set up for it, or if there is something else missing.  In searching
    for this error I can find lots of references to Kerberos, but we don't have that running at this company.  I'm not sure why it says Kerberos in the error message.
    Any ideas?
    THanks.
    Ted
    P.S.  Here is the error:
    SPSecurityContext.WindowsIdentity: Could not retrieve a valid windows identity for NTName='Domain\ID', UPN='[email protected]'. UPN is required when Kerberos constrained delegation is used. Exception: System.ServiceModel.FaultException`1[System.ServiceModel.ExceptionDetail]:
    WTS0003: The caller is not authorized to access the service. (Fault Detail is equal to An ExceptionDetail, likely created by IncludeExceptionDetailInFaults=true, whose value is: System.UnauthorizedAccessException: WTS0003: The caller is not authorized to access
    the service.   
     at Microsoft.IdentityModel.WindowsTokenService.CallerSecurity.CheckCaller(WindowsIdentity callerIdentity)    
     at Microsoft.IdentityModel.WindowsTokenService.S4UServiceContract.PerformLogon(Func`1 logonOperation, Int32 pid)    
     at SyncInvokeUpnLogon(Object , Object[] , Object[] )    
     at System.ServiceModel.Dispatcher.SyncMethodInvoker.Invoke(Object instance, Object[] inputs, Object[]& outputs)    
     at System.ServiceModel.Dispatcher.DispatchOperationRuntime.InvokeBegin(MessageRpc& rpc)    
     at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage5(MessageRpc& rpc)    
     at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage4(MessageRpc& rpc)    
     at System.ServiceModel.Dispatcher.MessageRpc.Process(Boolean isOperationContextSet))..
     

    Hi Ted,
    What operations(e.g. create a site?) are your performing with your "admin" account, when you are getting this error?
    Please check the following article with similar posts, e.g. grant the admin account proper permissions, or modify the config file (please back up the original file in a safe place for recovery in future), etc., let us know results.
    http://onefootinthecloud.blogspot.jp/2012/01/save-template-error-no-windows-identity.html
    https://social.msdn.microsoft.com/Forums/sqlserver/en-US/efb39291-857c-4a85-b244-56712f11430a/sharepoint-2010-migrated-to-claims-strange-error?forum=sharepointadminprevious
    https://social.technet.microsoft.com/Forums/sharepoint/en-US/b4d06b64-a713-480e-a00c-d02a466ad891/claims-to-windows-token-issue?forum=sharepointadminprevious
    Thanks,
    Daniel Yang
    Forum Support
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected] 
    Daniel Yang
    TechNet Community Support

  • Error getting the EJB Handle for context name: User

    I am getting EJB Handle for context name: User.
    1) I specified ejb's and datasource in the ejb-jar.xml in the session tags.
    <session> </session>
    and I also included ejb's and datasource in the sun-ejb-jar.xml still I am getting the above error I am new to EJB how can I resolve this?

    What is the Oracle application server version?
    JDeveloper 11g supports direct deployment to Oracle Application Server 11g
    http://www.oracle.com/technology/products/jdev/collateral/papers/11/newfeatures/index.html

  • Logging into a remote server Windows prepopulated my domain name and I don't want it to.

    I am logging into a web server using an old and no longer supported Microsoft software but when I do this the username is automatically populated with ALASTAIR-PC/Administrator. When I select another account the domain still shows ALASTAIR-PC. It's that
    domain that is preventing me logging into the server.  I also tried to enter the IP address of the server but again it's still showning the domain name.
    Hence... how can I stop the ALASTAIR-PC showning?  
    Or
    Is there a way for the web server recognising my domain and thus letting me sign in?

    Hi,
    You can type"\" before User name, it would clear the default domain login. If I misundertand your meaning, please feel free let us know.
    Roger Lu
    TechNet Community Support

  • Valid windows username and domain name

    Hi,
    can anu one help me with regular expression of valid username and domain name for windows
    Abdul Khaliq

    figure out the rules and restrictions for those names, and it shouldn't be too hard to come up with a regular expression to describe those rules.
    Most likely it involves nothing more than checking for the length of the name and the existence of a small set of disallowed characters.

  • Alias for domain name

    Hi,
    how to create an alias for a domain name in /etc/hosts file ? Wh have this :
    192.168.2.30 mymachine.domaine1.domaine2.com mymachine
    How can I create an alias for mymachine.domaine1.domaine2.com ??
    Many thanks.

    192.168.2.30 mymachine.domaine1.domaine2.com mymachine
    Not sure what you mean : mymachine is already an alias.

  • I'm unable to load my Microsoft Exchange account.  Think I'm entering the wrong info for domain and user but haven't figured out the correct inputs...

    I think the problem is with my domain and user name information.  Does anyone have any suggestions...

    I know that when i tried to add a Live/Hotmail account I tried MS Ex but ended up having to forward my Live to my Gmail or just add an IMAP account.

  • Why normally we choose dot local extension for domain name

    hi....i have one question about choosing the domain name mostly we choose .local extension for the domain why is so whats happen if we choose .com or any other top level domain extension.......2nd part of the question........
    i have joined the domain its ok working my domain controller is my dns server as well now form the client computer when i open the google  it works my question is this ....how the query of google.com is resolved as i have a local dns server and in forward
    zone its not mentioned what is ip address of google.....is it automatically referred to any other dns server or how its worksss.......??
    Thanks

    Hello,
    Explanation of LutzMH about your first question was absloutly complete. It is a choice that administrators make to avoid collision between your local DNS server and global DNS servers. 
    About your second question I would like to recommend you to take a look at the Name Resolution process. But in a nutshell it is a hierarchy form. When you enter the website in your browsers it first check the local DNS servers and then move along to the
    global DNS servers to find the appropriate record. It is worth mentioning that in Name Resolution process, DNS caches plays a key roles as well. For more information about Name Resolution process refer to the link below:
    How DNS query works
    Regards.
    Mahdi Tehrani   |  
      |  
    www.mahditehrani.ir
    Please click on Propose As Answer or to mark this post as
    and helpful for other people.
    This posting is provided AS-IS with no warranties, and confers no rights.
    How to query members of 'Local Administrators' group in all computers?

  • Good registrar for domain names

    I want to change where my domain name is registered. It is currently hosted by a small company and they have been unable to make it work with my mobileme and mac.com account. What companies have other Mac uses had great success with the hosting of their iWeb site in conjunction with their mobileme account?
    Thanks.
    Pat

    Two that are well thought of around here are HostExcellence and GoDaddy. Both offer good packages on hosting and domain names.
    OT

  • Changing MobileMe Accounts for Domain Name

    Need some verification on this procedure before I mess up my web page.
    I have a Web site Domain Name with GoDaddy using my son's Mobileme account. I want to change the Domain name to my mobileme account.
    My plan is to remove the domain name on my son's Personal Domain and then adding it to my Personal Domain on my Mobileme Account.
    Is this all I have to do? No changes to the GoDaddy account?

    I completed the switch from one MM account to the other with no problem. Just removed the site from one & added it to the other & everything worked great.

  • Reverse Proxy issue for domain name

    Hi All,
    We are in process of implementing reverse proxy to the SAP Portal and web dispatcher.
    We given all rewrite rules accordingly, The public IP also resolves the domain name also.
    Our domain is etender-aai.aero.
    When we given rewrite rule with the public IP reverse proxy is working fine.
    But when we given etender-aai.aero in rewrite rule its not working.
    Please help me in this.
    Thanks & Regards,
    Sreekanth

    Hi,
    If you want help, you'll have to explain clearly what is your configuration and what you want to achieve.
    I'm sorry to tell you that I absolutely did not nderstand anything about your problem....
    Do you try to publish your SAP Portal externally on the internet ?
    Do you use the web dispatcher as a reverse proxy ? or do you add an other reverse proxy (like Apache) in front of the web dispatcher ?
    Regards,
    Olivier

  • Whitelist for domain names (send and receive)

    We have this constant issue where our mail server gets loaded up with emails to and from domains that our in no way connected with ours.
    Our external firewall prevents these from going out, but they still remain in the Mail Queue. Is there any way to make a white list so that our domain names need to be included in either the sender OR the receiver and then just delete any other SMTP attempts?
    Thanks!
    Bonus Question. Is there a program I can install on the server that can tell me what IP addresses are sending those emails?

    You're potentially running an open relay, and (if that's the case) you'll want to address that.
    The open relay can arise via misconfigured mail server, or via a web vulnerability in some web services thing (content management system, etc) you're running.
    It's also possible that the server is correctly configured, and that there's an infected client box operating behind your mail server within your domain, or that's external but authorized to use your mail server.
    And the unauthorized variation: being a breached password.
    You'll want to secure the mail server first and foremost; filtering the outbound domain in the messages won't be particularly reliable, as these folks will just send from your domain and leave you to a: get your mail server blacklisted and b: deal with the backscatter.
    nb: [This question is cross-posted|http://discussions.apple.com/message.jspa?messageID=11693934]

Maybe you are looking for

  • Lenovo G580 Blue Screen With Dropbox

    Dear Lenovo community,  I bought a new Lenovo G580 last week, but dropbox causes the system to crash (Blue Screen). Windows gives the following error codes: ffff8a00b9ffa0a 000000000000 ffff80003092be1 000000000000 I found a previous post on this for

  • Sales order Report in BI

    Hi Experts, Is it possible to create a report in BI which holds only Sales orders completed and invoice is not created. Can we do this. Regards, Sri Edited by: srikanth on Aug 12, 2009 1:40 PM Edited by: srikanth on Aug 12, 2009 1:44 PM

  • Mapping error for EDI 823 from XI to R/3

    Hi All, We are receiving an EDI 823 from XI to R/3 and the XML file looks like this as below. Partner No: YRDCLNT110 Partn Type: LS Sender Information Port: SAPYXD Partner No: EXTD_BALE Partn Type: LS Whereas there exists no partner no. in R/3 by the

  • Unwanted messages showing up in Drafts folder

    Hi there. I've been having a problem for a while now, and when switching computers it followed me, so I figure enough is enough. In Mail, I have old messages, both ones that I've sent and ones I've received, showing up in the Drafts folder. I can go

  • Recordsets in Templates

    Trying to get used to templates ... Is there a way to apply a recordset to a template file since it is content that appears on all pages? (PhP/MYSql) Thanks Brad