Two SharePoint accounts in a site collection for one AD account
October 8, 2015 Leave a comment
Problem
There are two SharePoint accounts in a site collection for the same AD account. The site collection uses claims based authentication.
Investigation
Comparing the SharePoint accounts we noticed that one of them has a LoginName as in a Classic Authentication mode. The other user has LoginName with the prefix as expected for a claims based authentication.
The concerned user account is also a farm administrator so the first place to look is in the process of creating a new site collection.
I could regenerated the problem each time I created a new site collection. The farm administrator that is creating the site collection is automatically added in the new site collection even though initially it has no access to it (except if it’s specified as first or second site collection admin). The problem is that its added as a Classic user in a site collection that uses claims based authentication (probably because site collections are created from Central Administration which uses Classic Mode Authentication). When the same AD account is added to the site collection again, even by adding it to a SharePoint group or specifying it as a site collection administrator, it will be added again but this time as a ‘claims’ account.
Conclusion
This is a bug because a ‘classic’ user has no business to be in a site collection that uses claims based authentication.
To avoid any problematic situation its best to remove the ‘classic’ user from the site collection, especially if that user (creator of the site collection) is going to be used in the site collection as a normal everyday end user.
The ‘classic’ user in this situation always has a smaller ID then the ‘claims’ user but to be sure you should check their LoginName to find the ‘classic’ user.
To delete a user from a site collection go to the Users Information list and delete the item for that user. To navigate to the Users Information list append the following to the site collection URL
/_layouts/people.aspx?MembershipGroupId=0