Migrate from classic-mode to claims-based authentication (SharePoint Foundation 2010)
Applies to: SharePoint Foundation 2010
The procedures in this article provide guidance to help you migrate existing Microsoft SharePoint Foundation 2010 Web applications, which were configured to use classic-mode authentication, to use claims-based authentication. You might decide to do this if you want to implement an authentication method other than Windows authentication (for example, if you want to create a Web application that supports forms-based authentication). For more information, see Plan authentication methods (SharePoint Foundation 2010).
Warning
After you migrate a Web application to claims-based authentication, you cannot revert it to classic-mode authentication.
Convert SharePoint Foundation 2010 Web applications that use classic-mode authentication to use claims-based authentication
Perform the steps in the following procedure to use Windows PowerShell to convert existing Web applications to claims-based authentication.
To convert Web applications to claims-based authentication
Verify that you meet the following minimum requirements: See Add-SPShellAdmin.
On the Start menu, click All Programs.
Click Microsoft SharePoint 2010 Products.
Click SharePoint 2010 Management Shell.
From the Windows PowerShell command prompt, type the following:
$WebAppName = "http:// yourWebAppUrl" $account = "yourDomain\yourUser" $wa = get-SPWebApplication $WebAppName Set-SPwebApplication $wa -AuthenticationProvider (New-SPAuthenticationProvider) -Zone Default
At the Migration prompt, click Yes to continue.
From the Windows PowerShell command prompt, type the following to set the user as an administrator for the site:
$account = "yourDomain\yourUser" $account = (New-SPClaimsPrincipal -identity $account -identitytype 1).ToEncodedString() $zp = $wa.ZonePolicies("Default") $p = $zp.Add($account,"PSPolicy") $fc=$wa.PolicyRoles.GetSpecialRole("FullControl") $p.PolicyRoleBindings.Add($fc) $wa.Update()
From the Windows PowerShell command prompt, type the following to configure the policy to enable the user to have full access:
$zp = $wa.ZonePolicies("Default") $p = $zp.Add($account,"PSPolicy") $fc=$wa.PolicyRoles.GetSpecialRole("FullControl") $p.PolicyRoleBindings.Add($fc) $wa.Update()
From the Windows PowerShell command prompt, type the following to perform user migration:
$wa = get-SPWebApplication $WebAppName $wa.MigrateUsers($true)
Note
We recommend that you use Windows PowerShell when performing command-line administrative tasks. The Stsadm command-line tool has been deprecated, but is included to support compatibility with previous product versions.
Additional migration guidelines
After you perform the steps in the previous procedures, you might experience one or more of the following issues.
Users who submit valid credentials might be notified that they do not have permissions. If this occurs, the
portalsuperuseraccount
property and theportalsuperreaderaccount
property of the Web application were probably configured prior to migration. If this is the case, you must update theportalsuperuseraccount
property and theportalsuperreaderaccount
property to use the new claims-based account name. After migration, you can find the new claims-based account name in the Web application policy for the migrated Web application.If existing alerts are not invoked after migration, you might have to delete and recreate the alerts.
If Search crawl does not function after migration, make sure the Search crawl account lists the new converted account name. If the new converted account name is not listed, you must manually create a new policy for the crawl account.
See Also
Other Resources
Downloadable book: Upgrading to SharePoint Foundation 2010
Resource Center: Upgrade and Migration for SharePoint Foundation 2010