I just finished a project where we migrated from MOSS to SharePoint 2010 and one of the requirements was to configure 2010 using Forms Based Authentication as this was the case in their 2007 environment.  Now one would think that creating the new web app in Claims mode, mounting the content database and enabling FBA would sort it out. You would be completely misled if you thought that it was that easy.

After numerous failed attempts to get everything working, searching the web for information and answers from various sites, all of them claim that their process works, which it probably does on their platforms, i managed to put together a PowerShell script and process that would work for me.

So lets start with the basics:

1. Without going into much detail about Object Cache accounts (you can find plenty of sites describing what this does and how it applies to SharePoint) we are going to change the Superuser and Superreader accounts to domain accounts. These accounts do not need any special privileges. I’ve created “sp_superuser” and “sp_superreader” accounts for this purpose.

[cc lang=”shell”]#Set Superuser and SuperReader accounts
$WebAppName = “http://yourwebapplication”
$account = “yourfarmaccount”
$wa = get-SPWebApplication $WebAppName
$wa = Get-SPWebApplication -Identity http://yourwebapplication
$wa.Properties[“portalsuperuseraccount”] = “yourdomain\sp_superuser”
$wa.Properties[“portalsuperreaderaccount”] = “yourdomain\sp_superreader”
$wa.Update()[/cc]

Once completed, you can check if the accounts have been changed by running the following script:

[cc lang=”shell”]#Check SUperUser and SuperReader Accounts
Get-SPWebApplication | %{Write-Host “Web Application: ” $_.url “`nSuper user: ”

$_.properties[“portalsuperuseraccount”] “`nSuper reader: ” $_.properties[“portalsuperreaderaccount”] “`n”}[/cc]

2. Now, we need to convert the existing web application to Claims.

[cc lang=”shell”]#Convert Web APP

$WebAppName = “http://yourwebapplication”
$account = “yourfarmaccount”
$wa = get-SPWebApplication $WebAppName
Set-SPwebApplication $wa -AuthenticationProvider (New-SPAuthenticationProvider) -Zone Default[/cc]

Easiest way to check that it has been converted is in Central Admin under Authentication Providers within your web application list.

3. What we want to do now is add a claims administrator to the web application so that we can perform additional tasks. Part of this is to create a new User Policy for the web app and give the farm account or an account with admin rights, Full Control of the policy as well. I’ve called it “PSPolicy”,  you can call it anything.

[cc lang=”shell”]#Add claims administrator
$account = “yourfarmaccount”
$account = (New-SPClaimsPrincipal -identity $account -identitytype 1).ToEncodedString()
$zp = $wa.ZonePolicies(“Default”)
$p = $zp.Add($account,”PSPolicy”)
$fc=$wa.PolicyRoles.GetSpecialRole(“FullControl”)
$p.PolicyRoleBindings.Add($fc)
$wa.Update()[/cc]

You can check if the script has worked by opening Central Admin and clicking the User Policy icon in your web applications list.

4. Since we now have an administrator that has permissions to the claims web application, we need to migrate all the users to claims users. Now, claims accounts look different to normal domain accounts. There are other types of accounts but we won’t get into that right now. The difference is as follows:

Domain User = domain\username

Claims User = i:0#.w|domain\username (Note the prefix before the domain)

[cc lang=”shell”]#Migrate all users
$wa = get-SPWebApplication $WebAppName
$wa.MigrateUsers($true)[/cc]

Check to make sure the accounts have been migrated by running “get-spuser”

5. Its important to change the Superuser and Superreader accounts as well. Like i said before, if you want more information around these accounts, go check MSDN/TechNet.

[cc lang=”shell”]#Set Superuser and Superreader accounts to the claim accounts
$wa = Get-SPWebApplication -Identity http://yourwebapplication
$wa.Properties[“portalsuperuseraccount”] = “i:0#.w|yourdomain\sp_superuser”
$wa.Properties[“portalsuperreaderaccount”] = “i:0#.w|yourdomain\sp_superreader”
$wa.Update()[/cc]

Same as you checked before (further up in the post), run the script to make sure that the claims accounts are now associated with the web application.

6. Finally, give the Superuser “Full Control” and Superreader “Read permissions” to the web application under the User Policy. You should end up with it looking like this:

All that’s left to do is restart IIS and you should be good to go. If you experience any speed issues, have a look at this post which worked for me.

It should not take that long to get everything sorted. Once in claims mode, you can now decide if you want to enable FBA which, depending on your type of provider, could be fairly simple or rather complex.

Be cool my ninja’s.