Convert SharePoint Foundation 2010 Web applications that use classic-mode authentication to use claims-based authentication using Powershell

Convert SharePoint Foundation 2010 Web applications that use classic-mode authentication to use claims-based authentication

Perform the steps in the following procedure to use Windows PowerShell to convert existing Web applications to claims-based authentication.

To convert Web applications to claims-based authentication

1. Verify that you meet the following minimum requirements
   
2. On the Start menu, click All Programs.
   
3. Click Microsoft SharePoint 2010 Products.
   
4. Click SharePoint 2010 Management Shell.
   
5. From the Windows PowerShell command prompt, type the following:
   
   $WebAppName = "http:// yourWebAppUrl"
   $account = "yourDomain\yourUser"
   $wa = get-SPWebApplication $WebAppName
   
   Set-SPwebApplication $wa -AuthenticationProvider (New-SPAuthenticationProvider) -Zone Default
   
   

6. At the Migration prompt, click Yes to continue.
   
7. From the Windows PowerShell command prompt, type the following to set the user as an administrator for the site:
   
   $account = "yourDomain\yourUser"
   $account = (New-SPClaimsPrincipal -identity $account -identitytype 1).ToEncodedString()
   $zp = $wa.ZonePolicies("Default")
   $p = $zp.Add($account,"PSPolicy")
   $fc=$wa.PolicyRoles.GetSpecialRole("FullControl")
   $p.PolicyRoleBindings.Add($fc)
   $wa.Update()
   
   

8. From the Windows PowerShell command prompt, type the following to configure the policy to enable the user to have full access:
   
   $zp = $wa.ZonePolicies("Default")
   $p = $zp.Add($account,"PSPolicy")
   $fc=$wa.PolicyRoles.GetSpecialRole("FullControl")
   $p.PolicyRoleBindings.Add($fc)
   $wa.Update()
   

9. From the Windows PowerShell command prompt, type the following to perform user migration:
   
   $wa = get-SPWebApplication $WebAppName
   $wa.MigrateUsers($true)
   

Note:
We recommend that you use Windows PowerShell when performing command-line administrative tasks. The Stsadm command-line tool has been deprecated, but is included to support compatibility with previous product versions.

Additional migration guidelines

After you perform the steps in the previous procedures, you might experience one or more of the following issues.

• Users who submit valid credentials might be notified that they do not have permissions. If this occurs, the portalsuperuseraccount property and the portalsuperreaderaccount property of the Web application were probably configured prior to migration. If this is the case, you must update the portalsuperuseraccount property and the portalsuperreaderaccount property to use the new claims-based account name. After migration, you can find the new claims-based account name in the Web application policy for the migrated Web application.
  
• If existing alerts are not invoked after migration, you might have to delete and recreate the alerts.
  
• If Search crawl does not function after migration, make sure the Search crawl account lists the new converted account name. If the new converted account name is not listed, you must manually create a new policy for the crawl account.