Skip to main content
Migrate from classic-mode to claims-based authentication in SharePoint 2013
 

Applies to: SharePoint Server 2013, SharePoint Foundation 2013

Topic Last Modified: 2013-12-18

Summary:Convert SharePoint 2010 Products or SharePoint 2013 classic-mode web applications to claims-based authentication or create new claims-based web applications in SharePoint 2013.

Claims-based authentication is an essential component to enable the advanced functionality of SharePoint 2013. To move classic-mode web applications from SharePoint 2010 Products to SharePoint 2013, you can convert them to claims-based web applications within SharePoint 2010 Products, and then migrate them to SharePoint 2013. The procedures in this article illustrate various supported scenarios.

The Windows PowerShell Convert-SPWebApplication cmdlet in SharePoint 2013 converts classic-mode web applications to claims-based web applications.

WarningWarning:
After you convert a web application to claims-based authentication, you cannot revert it to classic-mode authentication.
Convert SharePoint 2010 Products classic-mode web applications to claims-based authentication in SharePoint 2010 Products and then upgrade to SharePoint 2013

In SharePoint 2010 Products, complete the following procedure to convert an existing web application to claims-based authentication. After you convert the web application to claims-based authentication, complete the additional step to migrate the web application to SharePoint 2013. To complete this procedure, you need the following information:

  • The URL of the web application that you are converting: http://yourWebAppUrl

  • A user account to set as a site administrator: yourDomain\yourUser

To convert a SharePoint 2010 Products web application to claims-based authentication
  1. Verify that you have the following memberships:

    • securityadmin fixed server role on the SQL Server instance.

    • db_owner fixed database role on all databases that are to be updated.

    • Administrators group on the server on which you are running Windows PowerShell cmdlets.

    • You must read about_Execution_Policies (http://go.microsoft.com/fwlink/p/?LinkId=193050).

    • Add memberships that are required beyond the minimums above.

    An administrator can use the Add-SPShellAdmin cmdlet to grant permissions to use SharePoint 2013 cmdlets.

    NoteNote:
    If you do not have permissions, contact your Setup administrator or SQL Server administrator to request permissions. For additional information about Windows PowerShell permissions, see Permissions and Add-SPShellAdmin.
  2. From the Windows PowerShell command prompt, type the following to set the specified user account as an administrator for the site:

    $WebAppName = "http://<yourWebAppUrl>"
    $wa = get-SPWebApplication $WebAppName
    $wa.UseClaimsAuthentication = $true
    $wa.Update()

    Where:

    • <yourWebAppUrl> is the URL of the web application.

  3. From the Windows PowerShell command prompt, type the following to configure the policy to enable the user to have full access:

    $account = "yourDomain\yourUser"
    $account = (New-SPClaimsPrincipal -identity $account -identitytype 1).ToEncodedString()
    $wa = get-SPWebApplication $WebAppName
    $zp = $wa.ZonePolicies("Default")
    $p = $zp.Add($account,"PSPolicy")
    $fc=$wa.PolicyRoles.GetSpecialRole("FullControl")
    $p.PolicyRoleBindings.Add($fc)
    $wa.Update()

    For more information, see Get-SPWebApplication.

  4. From the Windows PowerShell command prompt, type the following to perform user migration:

    $wa.MigrateUsers($true)
  5. After user migration completes, type the following from the Windows PowerShell command prompt to perform provisioning:

    $wa.ProvisionGlobally()

    For more information, see New-SPClaimsPrincipal.

    NoteNote:
    We recommend that you use Windows PowerShell when performing command-line administrative tasks. The Stsadm command-line tool has been deprecated, but is included to support compatibility with previous product versions.

After you complete the previous procedures, you might experience one or more of the following issues:

  • Users who submit valid credentials when accessing the migrated web application might be notified that they do not have permissions. If this occurs, the portalsuperuseraccount property and the portalsuperreaderaccount property of the web application were probably configured prior to migration. If this is the case, update the portalsuperuseraccount property and the portalsuperreaderaccount property to use the new claims-based account name. After migration, you can find the new claims-based account name in the web application policy for the migrated web application.

  • If existing alerts are not invoked after migration, you might have to delete and recreate the alerts.

  • If Search crawl does not function on the web application after migration, make sure that the Search crawl account lists the new converted account name. If the new converted account name is not listed, you must manually create a new policy for the crawl account.

To migrate a claims-based SharePoint 2010 Products web application to SharePoint 2013
  1. In SharePoint 2013, create a claims-based web application. For more information, see Create claims-based web applications in SharePoint 2013.

  2. Attach the two existing SharePoint 2010 Products content databases to the newly created SharePoint 2013 claims-based web application. For more information, see Attach or detach content databases in SharePoint 2013.

    NoteNote:
    When you attach the SharePoint 2010 Products content databases to the SharePoint 2013 claims-based web application, the databases will be upgraded to the SharePoint 2013 database format. You have to verify that the content databases work correctly after you attach them.
Convert SharePoint 2010 Products classic-mode web applications to SharePoint 2013 claims-based web applications

In SharePoint 2013, complete the following procedure to convert an existing SharePoint 2010 Products classic-mode web application to a SharePoint 2013 web application that uses claims-based authentication.

To convert a SharePoint 2010 Products classic-mode web application to a SharePoint 2013 claims-based authentication
  1. Verify that you have the following memberships:

    • securityadmin fixed server role on the SQL Server instance.

    • db_owner fixed database role on all databases that are to be updated.

    • Administrators group on the server on which you are running Windows PowerShell cmdlets.

    • You must read about_Execution_Policies (http://go.microsoft.com/fwlink/p/?LinkId=193050).

    • Add memberships that are required beyond the minimums above.

    An administrator can use the Add-SPShellAdmin cmdlet to grant permissions to use SharePoint 2013 cmdlets.

    NoteNote:
    If you do not have permissions, contact your Setup administrator or SQL Server administrator to request permissions. For additional information about Windows PowerShell permissions, see Permissions and Add-SPShellAdmin.
  2. In the SharePoint 2013 environment, on the Start menu, click All Programs.

  3. Click Microsoft SharePoint 2013 Products.

  4. Click SharePoint 2013 Management Shell.

  5. Change to the directory where you saved the file.

  6. At the Windows PowerShell command prompt, type the following command:

    New-SPWebApplication -name "ClassicAuthApp" -Port 100 -ApplicationPool 
    "ClassicAuthAppPool" -ApplicationPoolAccount (Get-SPManagedAccount 
    "<domainname>\<user>")

    Where:

    • <domainname>\<user> is the domain to which the server belongs and the name of the user account.

  7. Attach the two existing SharePoint 2010 Products content databases to the new SharePoint 2013 classic-mode web application. For more information, see Attach or detach content databases in SharePoint 2013.

    NoteNote:
    When you attach the SharePoint 2010 Products content databases to the SharePoint 2013 classic-mode web application, the databases are upgraded to the SharePoint 2013 database format. You have to verify that the content databases work correctly after you have attached them.
  8. From the Windows PowerShell command prompt, type the following:

    Convert-SPWebApplication -Identity <yourWebAppUrl> -To Claims 
    -RetainPermissions [ -Force]
    

    Where:

    • <yourWebAppUrl> is the URL of the web application.

    NoteNote:
    Convert-SPWebApplication converts the web application to claims-based authentication. You have to verify that the users can access the web application after you have converted it.
  9. If necessary, attach a third SharePoint 2010 Products content database to the new SharePoint 2013 classic-mode web application, and verify that the content database working correctly after you have attached it.

  10. From the Windows PowerShell command prompt, type the following:

    Convert-SPWebApplication -Identity yourWebAppUrl -To Claims 
    -RetainPermissions [ -Force]

Verify that users can access the web application after you have converted it to claims-based authentication.

For more information, see New-SPWebApplication, Get-SPManagedAccount, and Convert-SPWebApplication.

NoteNote:
We recommend that you use Windows PowerShell when performing command-line administrative tasks. The Stsadm command-line tool has been deprecated, but is included to support compatibility with previous product versions.
Convert SharePoint 2013 classic-mode web applications to claims-based web applications

In SharePoint 2013, complete the following procedures to first create a classic-mode Web application, and then convert it to claims-based authentication.

To create a classic-mode Web application in SharePoint 2013
  • Verify that you have the following memberships:

    • securityadmin fixed server role on the SQL Server instance.

    • db_owner fixed database role on all databases that are to be updated.

    • Administrators group on the server on which you are running Windows PowerShell cmdlets.

    • You must read about_Execution_Policies (http://go.microsoft.com/fwlink/p/?LinkId=193050).

    • Add memberships that are required beyond the minimums above.

    An administrator can use the Add-SPShellAdmin cmdlet to grant permissions to use SharePoint 2013 cmdlets.

    NoteNote:
    If you do not have permissions, contact your Setup administrator or SQL Server administrator to request permissions. For additional information about Windows PowerShell permissions, see Permissions and Add-SPShellAdmin.
  • From the Windows PowerShell command prompt, type the following:

    New-SPWebApplication -Name <Name> 
    -ApplicationPool <ApplicationPool>
    -AuthenticationMethod <WindowsAuthType>
    -ApplicationPoolAccount <ApplicationPoolAccount>
    -Port <Port> -URL <URL>

    Where:

    • <Name> is the name of the new web application that uses classic-mode authentication.

    • <ApplicationPool> is the name of the application pool.

    • <WindowsAuthType> is either “NTLM” or “Kerberos”. Kerberos is recommended.

    • <ApplicationPoolAccount> is the user account that this application pool will run as.

    • <Port> is the port on which the web application will be created in IIS.

    • <URL> is the public URL for the web application.

    NoteNote:
    For more information, see New-SPWebApplication.
    NoteNote:
    After you successfully create the web application, when you open the Central Administration page, you see a health rule warning that indicates that one or more web applications is enabled with classic authentication mode. This is a reflection of our recommendation to use claims-based authentication instead of classic mode authentication.
To convert a SharePoint 2013 classic-mode web application to claims-based authentication
  • From the Windows PowerShell command prompt, type the following:

    Convert-SPWebApplication -Identity "http:// <servername>:port" -To Claims
    -RetainPermissions [-Force]

    Where:

    • <servername> is the name of the server.

Verify that users can access the web application after you have converted it to claims-based authentication.

For more information, see New-SPWebApplication, Get-SPManagedAccount, and Convert-SPWebApplication.

NoteNote:
We recommend that you use Windows PowerShell when performing command-line administrative tasks. The Stsadm command-line tool has been deprecated, but is included to support compatibility with previous product versions.
Migrate SharePoint 2010 Products classic-mode web applications to SharePoint 2013 classic-mode web applications

In SharePoint 2013, complete the following procedure to create a classic-mode web application, and then migrate an existing SharePoint 2010 Products classic-mode Web application to SharePoint 2013.

To migrate a SharePoint 2010 Products classic-mode web application to SharePoint 2013
  1. Verify that you have the following memberships:

    • securityadmin fixed server role on the SQL Server instance.

    • db_owner fixed database role on all databases that are to be updated.

    • Administrators group on the server on which you are running Windows PowerShell cmdlets.

    • You must read about_Execution_Policies (http://go.microsoft.com/fwlink/p/?LinkId=193050).

    • Add memberships that are required beyond the minimums above.

    An administrator can use the Add-SPShellAdmin cmdlet to grant permissions to use SharePoint 2013 cmdlets.

    NoteNote:
    If you do not have permissions, contact your Setup administrator or SQL Server administrator to request permissions. For additional information about Windows PowerShell permissions, see Permissions and Add-SPShellAdmin.
  2. From the Windows PowerShell command prompt, type the following:

    New-SPWebApplication -name "ClassicAuthApp" -Port 100 -ApplicationPool 
    "ClassicAuthAppPool" -ApplicationPoolAccount (Get-SPManagedAccount 
    "<domainname>\<user>")

    Where:

    • <domainname>\<user> is the domain to which the server belongs and the name of the user account.

  3. Attach the two existing SharePoint 2010 Products content databases to the new SharePoint 2013 classic-mode web application. Verify that the content databases work correctly after you have attached them. For more information, see Attach or detach content databases in SharePoint 2013.

For more information, see New-SPWebApplication and Get-SPManagedAccount.

NoteNote:
We recommend that you use Windows PowerShell when performing command-line administrative tasks. The Stsadm command-line tool has been deprecated, but is included to support compatibility with previous product versions.