Sue Hernandez's SharePoint Blog

SharePoint and Related Stuff

SharePoint 2013, InfoPath and Claims – GetUserProfileByName

You would not believe the hoops you have to go through to get data auto-populated in an InfoPath Form if you’re using Claims-based authentication, which I believe is the default in SharePoint 2013.

The Scenario:

You have an on-premise SharePoint 2013 Server installation with InfoPath Forms Services (so you have enterprise) and you want to create an InfoPath form that auto-populates a logged in user’s ID, email, and phone number.  You are using Claims-based authentication in the web application in question.

In this scenario, I’m using InfoPath Designer 2010 – I haven’t upgraded to 2013 yet, but I don’t think it makes a difference.

The Problem:

When you use Claims-based authentication, your user name is prefaced by “0#.w|”.  So for example, if your user name is SuesDomain\jdoe then your Claims-based user token will be, without the quotes:     “0#.w|SuesDomain\jdoe”

InfoPath can’t handle that, or more specifically, the UserProfile.asmx method GetUserProfileByName method can’t handle that.  InfoPath tries to pass in your Claims-based user token instead of your domain\User Name.

You get 2 problems – you have an authentication problem where the currently logged in user is not allowed to hit the web service, so you get an Access Denied 401 authentication error.  The second problem is getting the right user from the web service.

The Solution:

The steps you have to take are listed here.  See the reference posts for more details and pictures.

  • Have your Active Directory team create you a User Name and Password for a “generic” InfoPath Account.  The one I created was called Domain\SP2013_IPRdr for “InfoPath Reader”.
  • Have the Central Administration team create a Secure Store service application, if they don’t already have one.
    • Generate the Secure Store key if you haven’t already.
    • Create a new application in the Secure Store called something like InfoPathGUPBN (“GetUserProfileByName” is what the acronym stands for); target application type is Group, and User Field Types are the Windows User Name and Password.
    • Set the credentials:  Whomever you want to administer the application should be set as the Target Application Administrators and for the Members, select All Users.
    • Set the Credentials to the Application and use the User Name and Password that you received from the A/D team, example Domain\SP2013_IPRdr.
  • In SharePoint 2013 – in the site you wish to publish your form to, create a Data Connection library.
  • Go Into InfoPath and go to your GetUserProfileByName secondary data connection.  If you don’t already have one, you can create one the “normal” way, making sure you do not choose a user name (just like you would normally do).  For an example of how to set one up, see the first reference in the section at the bottom of this post.
  • Modify the GetUserProfileByName secondary data connection so that it does NOT automatically load the data upon form load.  This is not required, but saves performance.
  • Convert the GetUserProfileByName secondary data connection into a UDCX file (“Convert to Connection File”) – store it in the Data Connection Library that you created a few steps ago.
  • Download the UDCX file that you just created from your SharePoint 2013 Data Connection library and put it on your desktop.  Edit it in Notepad.
  • Change the commented out line to read something like this (depending on what you called your Secure Store Application):
    <udc:Authentication><udc:SSO AppId='InfoPathGUPBN' CredentialType='NTLM' /></udc:Authentication>
  • Upload the UDCX file back in to the Data Connection Library.
  • Publish your newly changed InfoPath form into your SharePoint 2013 InfoPath Form Library
  • Make sure to give your special A/D account, for example the Domain\SP2013_IPRdr account, full read access to that site, so that they have permissions to hit the web service.

All of the above was just to get you to Authenticate properly with the Web Service.  If you were to stop now, and try to get the information from the web service you would get the information for the user Domain\SP2013_IPRdr.  Not the logged in user.  Now you have to take the following steps to get the real logged in user:

  • Go into InfoPath and go to create a Form Load rule
  • For the first rule, call it “Set User Profile” or something similar
    • Create an action to Set a Field’s Value
    • Choose the field – it’s the GetUserProfileByName secondary data connection, in the queryFields node, all the way in:  AccountName.
    • Set it to the following formula value:
      substring-after(userName(), "0#.w|")
    • Add another action, Query for Data, and choose your GetUserProfileByName secondary data connection
  • For the second rule, call it something like “Set Fields”
    • This is where you fill in your fields from the data source.  To find a good example of how to do this, see the first reference in the section at the bottom of this post.

Bottom line:  Pain in the rear.



29 responses to “SharePoint 2013, InfoPath and Claims – GetUserProfileByName

  1. Amberle October 24, 2013 at 9:51 am

    Hi Susan, thank you very much for this very helpful post. 🙂

    Just a follow-up question, if for example we want to get the user’s Manager, will the function return the manager’s account name in the form of claims (0#.w|contoso\amber.lee) or the standard form (contoso\amber.lee)? Right now, we are getting contoso\amber.lee. Is this the default behavior? Or should we be expecting it in claims notation? Thank you!!

    • Susan Hernandez October 25, 2013 at 7:35 pm

      I am no expert on this, but I believe that getting the Manager, you’re getting it from the User Profile Web Service, which is getting it from the User’s SharePoint Profile. My assumption is that either the UPS or the Web Service is handling the account and stripping out the claims tokens. I have experienced the same behavior you have.

  2. Mike November 13, 2013 at 9:15 pm

    I tried this procedure and its throwing an error when I set the AccountName to current user and run the query, please help me

    • Susan Hernandez November 13, 2013 at 9:19 pm

      Could you please specify exactly what account name you’re setting by printing it out somewhere on your form (you don’t have to tell me the account name, just verify that it has correctly stripped the Claims token characters off). Also, what is the error message you’re getting?

      • Mike November 13, 2013 at 9:45 pm

        I mapped an full privileged account in the secure store, then its working but I always get the same user info for any account I try with. Then is the part of changing the account name to current username, yes the claim tokens are being stripped off I check it. The error is “Error accessing the web service” error 5566

      • Susan Hernandez November 13, 2013 at 9:58 pm

        Do you have access to the server on which SharePoint is hosted? The “ULS Logs” will probably have more detail for you. I did a little checking and it seems that error 5566 is often a problem with no access to the web service (permissions). You say you mapped a full privileged account in the secure store, can you double-check to make sure that account has at least Read access in the EXACT web site where the user profile service data connection is being made, i.e. the GetUserProfileByName url? If you can get the ULS logs that will help you in determining where the problem lies.

  3. Mike November 14, 2013 at 3:31 pm

    I don’t much information in the ULS logs either. It says WCFLogging:Begin UserProfileGetProperties and end UserProfileGetProperties. Thats what I see in the ULS Logs.

    For me I get It working untill the rules, when I add the AccountName = substring-after(userName(), “0#.w|”) and query the data source that is where its throwing the error.

  4. Robert F Lopes April 11, 2014 at 8:57 pm

    Really nice (and thorough) post but I have a minor suggestion . Instead of setting the formula to “substring-after(userName(), “0#.w|”)” . I would suggest you just use “substring-after(userName(), “|”)” because the claims token can vary.

  5. Eric Magnuson April 28, 2014 at 6:51 pm

    I have followed the directions exactly and we are still receiving a 401 Authentication error when trying to hit the Web Service:

    The following query failed: GetUserProfileByName (User: 0#.w|domain\current_user, Form Name: ServiceRequest_r1-7-1_20140428, IP: , Connection Target: http://site/IS Data Connection Library/GetUserProfilebyName.udcx, Request: http://site/SitePages/Worker.aspx, Form ID: urn:schemas-microsoft-com:office:infopath:ServiceRequest-r1-7-1-20140428:-dataFormSolution Type: DataAdapterException, Exception Message: The remote server returned an error: (401) Unauthorized. The remote server returned an error: (401) Unauthorized.)

    The udcx file is configured for the new Secure Store:

    It seems like the Data Connection is still trying to connect to the Web Service using the current logged in user rather than the user specified in the SSO “UPASS”.

    Any suggestions for where else I may look?

    Thank you,

    Eric Magnuson

  6. dyimez May 30, 2014 at 4:20 am

    I am getting 401 error as well and disabling loopback check fixes my problem. this is on SP2013 on windows 2013.

    • Graham December 26, 2014 at 9:50 pm

      OMG, you fixed the exact issue I was having. Thank you so much for solving this massive headache for me. Fixed the 401 unauthorized messages for me. Thanks a ton for this. In case that link stops working, here is the work around info from the KB link:

      here are two methods to work around this issue, use one of the following methods, as appropriate for your situation.
      Method 1: Specify host names (Preferred method if NTLM authentication is desired)

      To specify the host names that are mapped to the loopback address and can connect to Web sites on your computer, follow these steps:
      Set the
      registry entry to 1. For more information about how to do this, click the following article number to view the article in the Microsoft Knowledge Base:
      281308 Connecting to SMB share on a Windows 2000-based computer or a Windows Server 2003-based computer may not work with an alias name
      Click Start, click Run, type regedit, and then click OK.
      In Registry Editor, locate and then click the following registry key:
      Right-click MSV1_0, point to New, and then click Multi-String Value.
      Type BackConnectionHostNames, and then press ENTER.
      Right-click BackConnectionHostNames, and then click Modify.
      In the Value data box, type the host name or the host names for the sites that are on the local computer, and then click OK.
      Quit Registry Editor, and then restart the IISAdmin service.
      Method 2: Disable the loopback check (less-recommended method)

      The second method is to disable the loopback check by setting the DisableLoopbackCheck registry key.

      To set the DisableLoopbackCheck registry key, follow these steps:
      Set the
      registry entry to 1. For more information about how to do this, click the following article number to view the article in the Microsoft Knowledge Base:
      281308 Connecting to SMB share on a Windows 2000-based computer or a Windows Server 2003-based computer may not work with an alias name
      Click Start, click Run, type regedit, and then click OK.
      In Registry Editor, locate and then click the following registry key:
      Right-click Lsa, point to New, and then click DWORD Value.
      Type DisableLoopbackCheck, and then press ENTER.
      Right-click DisableLoopbackCheck, and then click Modify.
      In the Value data box, type 1, and then click OK.
      Quit Registry Editor, and then restart your computer.

  7. mansidesai26 June 11, 2014 at 12:44 pm

    Reblogged this on crazyforsharepoint and commented:
    Unable to hit User Profile Service in InfoPath Form in SharePoint 2013 Claims Based Web Application

  8. SharePoint and everything else ... September 5, 2014 at 8:54 am

    Reblogged this on SharePoint and everything else … and commented:
    Brilliant! Short, sweet but did the job perfectly. Thank you!

  9. Flash King September 19, 2014 at 10:53 pm

    Sue, I’m still having 5566 error issues. I read that you have to create a classic mode web app in sp2013, then connect the cuff through there. Is t his true?

  10. Flash King September 19, 2014 at 10:54 pm

    Cuff, meant UDC

  11. Pingback: Security Trimming SharePoint 2010 InfoPath Form Fields | SharePoint Diva

  12. Simon July 24, 2015 at 2:52 pm

    Fantastic post – thanks for sharing and saving some of my sanity!

  13. Pingback: InfoPath vs SharePoint 2013 Web Services | rule30

  14. lalo December 23, 2015 at 4:03 pm

    I get the information of the webapp application pool identity instead of the user opening the form. Has anyone else run into this issue?

    • Robert July 18, 2016 at 10:38 am

      did you ever managed to get the actual username? I have the exact Problem, and I think I have configured everything correctly.

    • Joe March 22, 2018 at 7:07 pm

      Ditto. Getting the application pool identity

      • Susan J Hernandez May 21, 2018 at 3:43 pm

        Hi Joe! After a *very* long hiatus, I am trying to slowly come back to blogging and writing. I noticed your recent comment here, and I am (believe it or not) actually working with this issue currently with a client.

        So the issues in a nutshell are:

        1) Need to authenticate to the web service in a special manner, using a privileged account specifically set up for this – in your case, you may be using the App Pool service account, in my case, we set up a special “InfoPath Reader” service account for this access.

        2) When you do set up that authentication, then by default, if you just simply then query the web service, you will receive all of the information about the service account. You will get the display name, email, account ID, etc, for the privileged service account.

        3) To retrieve the “actual” user, you have to take a multi-step process [I need to update this blog post with pictures of doing this]:
        a) Action: Set a Field’s Value.
        i) Field to set: Drill into the GetUserProfileByName secondary data connection, expand queryFields, and pick the field AccountName
        ii) Value to set it to: this formula:
        substring-after(userName(), “|”)
        b) Action: Query for Data
        i) Data Connection: the GetUserProfileByName secondary data connection
        c) Action: Set a Field’s Value
        i) Field to set:
        ii) Value to set it to:
        Pick your GetUserProfileByName secondary data connection; expand all the way to “Value”; highlight it and click “Filter”; Pick its parent field called “Name”; Type text for equals “PreferredName” (or WorkEmail, etc – any profile field). Basically this here is drilling into the GetUserProfileByName data connection and picking from the name/value pairs for all the info returned by the user profile.

        I’d be interested if you got this to work. When I get home I will try to update the post with more pictures and step-by-step of those parts.

        Thanks for your interest!!
        Sue Hernandez

  15. May 4, 2016 at 8:42 pm

    Thank you so much! I spend hours to search for the problem, but never find the hint to add the “substring-after-rule”. Best regards 🙂

    • vink2266 September 15, 2016 at 2:11 pm

      WHat was the account credentials i need to give while setting credentials to application at SSO , I have given the account which we used to create all service applications on the server. I am still getting the error 5566.could anyone help me out as I am struck with this thing since 4 days. thanks all

  16. Chiranthaka jayakody December 8, 2016 at 11:13 am

    In this way how can I get FirstName, LastName, PreferredName, WorkEmail and the other AD Information.

  17. manekin March 6, 2017 at 3:50 pm

    Hi, has anyone found the solution for the 5566 error? The logs show “Credentials in SSO (Windows=[no], Username=[yes], Password= [yes]) did not match the specified type “NTLM”.
    I am a bit stuck on this one. Any advise is welcome! Thanks!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: