Migrate from classic-mode to claims-based authentication (SharePoint Server 2010)


Applies to: SharePoint Server 2010, SharePoint Foundation 2010

The procedures in this article provide guidance to help you migrate existing Microsoft SharePoint Server 2010 Web applications, which were configured to use classic-mode authentication, to use claims-based authentication. You might decide to do this if you want to implement an authentication method other than Windows authentication (for example, if you want to create a Web application that supports forms-based authentication). For more information, see Plan authentication methods (SharePoint Server 2010).


After you migrate a Web application to claims-based authentication, you cannot revert it to classic-mode authentication.

Convert SharePoint Server 2010 Web applications that use classic-mode authentication to use claims-based authentication

Perform the steps in the following procedure to use Windows PowerShell to convert existing Web applications to claims-based authentication.

To convert Web applications to claims-based authentication

  1. Verify that you meet the following minimum requirements: See Add-SPShellAdmin.

  2. On the Start menu, click All Programs.

  3. Click Microsoft SharePoint 2010 Products.

  4. Click SharePoint 2010 Management Shell.

  5. From the Windows PowerShell command prompt, type the following to set the specified user account as an administrator for the site:

    $WebAppName = "http://yourWebAppUrl"
    $wa = get-SPWebApplication $WebAppName
    $wa.UseClaimsAuthentication = $true
  6. From the Windows PowerShell command prompt, type the following to configure the policy to enable the user to have full access:

    $account = "yourDomain\yourUser"
    $account = (New-SPClaimsPrincipal -identity $account -identitytype 1).ToEncodedString()
    $wa = get-SPWebApplication $WebAppName
    $zp = $wa.ZonePolicies("Default")
    $p = $zp.Add($account,"PSPolicy")
  7. From the Windows PowerShell command prompt, type the following to perform user migration:

  8. After migration completes, type the following from the Windows PowerShell command prompt to perform provisioning:



We recommend that you use Windows PowerShell when performing command-line administrative tasks. The Stsadm command-line tool has been deprecated, but is included to support compatibility with previous product versions.

Additional migration guidelines

After you perform the steps in the previous procedures, you might experience one or more of the following issues.

  • Users who submit valid credentials might be notified that they do not have permissions. If this occurs, the portalsuperuseraccount property and the portalsuperreaderaccount property of the Web application were probably configured prior to migration. If this is the case, you must update the portalsuperuseraccount property and the portalsuperreaderaccount property to use the new claims-based account name. After migration, you can find the new claims-based account name in the Web application policy for the migrated Web application.

  • If existing alerts are not invoked after migration, you might have to delete and recreate the alerts.

  • If Search crawl does not function after migration, make sure the Search crawl account lists the new converted account name. If the new converted account name is not listed, you must manually create a new policy for the crawl account.

See Also

Other Resources

Downloadable book: Upgrading to SharePoint Server 2010
Resource Center: Upgrade and Migration for SharePoint Server 2010