The authentication methods of the web application must match when doing an upgrade. If you are migrating from a claims-based web application, the path is pretty straightforward because the default authentication method in SharePoint 2013 is claims. Running Test- SPContentDatabase on the content database that you want to upgrade can help you deter- mine whether you need to configure the web application before the upgrade. If you need to do additional configuration, one of the issues found by running Test-SPContentDatabase should match the following criteria:
■
■ Category should be Configuration. ■
■ Error should be False. ■
■ UpgradeBlocking should be False. ■
■ Message should show that the web application is configured with Claims authentica-
tion mode and that the content database you are trying to attach will be used against a Windows Classic authentication mode.
■
■ Remedy should show that an inconsistency exists between the authentication mode
of target web application and the source web application. You need to ensure that the authentication mode setting in the upgraded web application is the same as what you had in the SharePoint 2010 web application.
If you are facing this issue, you should upgrade your SharePoint 2010 web application from classic-mode authentication to claims-based authentication before you upgrade. Converting the web application to claims-based authentication while still in the SharePoint 2010 envi- ronment allows for testing of claims before the migration and allows for any potential fixes before migration (such as making sure the search application still functions in claims-based mode). Converting it after the database-attach upgrade process is also possible. If for some reason you absolutely need to stick with the classic authentication method, you can create a SharePoint 2013 web application that uses classic authentication.
EXAM TIP
As part of the exam, you will be asked to put steps in order. Configuring your SharePoint 2010 web application for claims before you upgrade to a SharePoint 2013 web application that uses claims authentication is a perfect example of an upgrade step that must be done in a certain sequence.
Converting a SharePoint 2010 web application from classic-mode authentication to a SharePoint 2010 claims-based authentication involves the following steps:
IMPORTANT You should approach this process with caution. If it fails, you might need to restore the whole web application from a backup and start over.
1. Open the SharePoint 2013 Management Shell with an account that has the following permissions:
■
■ Member of the Administrators group on the server on which you are running the Pow-
erShell commands
■
■ Securityadmin fixed server role on the SQL Server instance that contains the web ap-
plication
■
■ Db_owner fixed server role on all databases to be updated
2. Enable claims authentication on the target web application by typing the following PowerShell commands, replacing <WebAppUrl> with the URL of the target web ap- plication:
$WebAppName = http://<WebAppUrl> $wa = get-SPWebApplication $WebAppName $wa.UseClaimsAuthentication = $true $wa.Update()
3. Enable a site collection administrator on the claims-based enabled application, replac- ing yourDomain\SiteCollectionAdminUser with the account name for the site collection administrator:
$account = “yourDomain\SiteCollectionAdminUser”
$account = (New-SPClaimsPrincipal -identity $account -identitytype 1).ToEncodedString()
$wa = get-SPWebApplication $WebAppName $zp = $wa.ZonePolicies(“Default”) $p = $zp.Add($account,”PSPolicy”)
$fc=$wa.PolicyRoles.GetSpecialRole(“FullControl”) $p.PolicyRoleBindings.Add($fc)
$wa.Update()
4. Use the following PowerShell command to migrate users: $wa.MigrateUsers($true)
5. After migration is completed, finish with the provisioning process by using the follow- ing PowerShell command (still in the same PowerShell window):
$wa.ProvisionGlobally()
After the web application is converted, it should be fully tested to ensure that the change to a claims-based authentication process was successful. This includes running a full crawl on the search service to ensure that the search account has the proper permissions. Validation of search results should also be done. If everything appears to be in order, migrating the web application to SharePoint 2013 is an easy process—as far as authentication goes.
IMPORTANT The process of converting a web application to claims-based authentication is a one-way process. Going back to classic-mode authentication isn’t supported and might require a full system restore (databases and SharePoint farms) to return to classic-mode authentication, if that’s required.
If you want a SharePoint 2013 web application that uses classic-mode authentication (such as a custom solution that requires classic-mode authentication that can’t be rewritten due to budget and/or time constraints or comes from a third party), use PowerShell. Using classic- mode authentication requires an overwhelming need because claims-based authentication is the preferred method of authentication for SharePoint 2013 going forward. This process, via PowerShell, involves the following steps (when you create a web application via Central Administration, classic-mode isn’t an option):
1. Open up the SharePoint 2013 Management Shell on a SharePoint 2013 server with an account that has farm-level administration rights.
2. Use the following PowerShell command to create the web application, where <Win- dowsAuthType> is either NTLM or Kerberos and the other options are similar to creat- ing any other web application:
New-SPWebApplication –Name <Name> –ApplicationPool <ApplicationPool> -AuthenticationMethod <WindowsAuthType>
–ApplicationPoolAccount <ApplicationPoolAccount> -Port <Port> -URL <URL>
After creating the classic-mode web application in SharePoint Server 2013, you will see a warning whenever you go to the web application page. This warning indicates that the web application is using the classic-mode authentication. This is to emphasize that claims mode is the preferred authentication mode.
Converting a SharePoint 2013 classic-mode web application to a claims-based web appli- cation is a fairly straightforward process. You need to open the SharePoint 2013 Management Shell with the proper permissions and run the following command:
Convert-SPWebApplication -Identity “http:// <servername>:port” -To Claims –RetainPermissions [-Force]
Again, whenever you switch authentication modes, you should thoroughly test the web application to make sure that nothing permissions-related is broken. This is especially true for any search-related items.
MORE INFO MIGRATING FROM CLASSIC-MODE TO CLAIMS-BASED AUTHENTICATION See http://technet.microsoft.com/en-us/library/gg251985.aspx for more information on how to migrate from classic-mode to claims-based authentication in SharePoint 2013.