Moving SharePoint 2010 web application to claims-based authentication

Lately I migrated one intranet site from SharePoint Server 2007 to SharePoint Server 2010. During migration moving to claims-based authentication (CBA) was also needed. In this posting I will show you how to move those NTLM accounts to CBA with couple of simple steps.

Here are the steps that worked for me:

  1. Make backup of content database on SharePoint Server 2007 machine.
  2. On SharePoint Server 2010 create new web application that uses classic authentication. Give content database some easy to remember name.
  3. Restore content database you backed up to SharePoint Server 2010.
  4. Run stsadm to attach this database to your site.
  5. Delete content database that was created with web application.
  6. Make sure your application works on SharePoint Server 2010.
  7. Run the following PowerShell script on SharePoint Server 2010 machine:

    $WebAppName = "http://intranet"
    $wa = get-SPWebApplication $WebAppName
    $wa.UseClaimsAuthentication = $true
    $wa.Update()
    
    $account = "domain\my.user"
    $account = (New-SPClaimsPrincipal -identity $account -identitytype 1).ToEncodedString()
    $wa = get-SPWebApplication $WebAppName
    $zp = $wa.ZonePolicies("Default")
    $p = $zp.Add($account,"PSPolicy")
    $fc=$wa.PolicyRoles.GetSpecialRole("FullControl")
    $p.PolicyRoleBindings.Add($fc)
    $wa.Update()
    
    $wa.MigrateUsers($true)
    $wa.ProvisionGlobally()

  8. Make sure you can open site without getting access denied error.
  9. Make sure user name are shown on user details form as CBA ones.

You can find more information about migration and troubleshooting from TechNet article Migrate from classic-mode to claims-based authentication in SharePoint 2013. Although title refers to SharePoint 2013 there are chapters that target only SharePoint 2010.


2 thoughts on “Moving SharePoint 2010 web application to claims-based authentication

  • Jason Miller says:

    Any permissions guidelines on the $account = “domain\my.user”? This seems like it would need to persist long enough to migrate the users and wouldn’t be used after that. In the lab I used my own elevated account, but I’m not sure if this is appropriate for production.

  • Gunnar says:

    I used farm account.

Leave a Reply

Your email address will not be published. Required fields are marked *