Enable Claims Based on existing Web Application with Classic Mode (Access denied Error)


Recently i encountered a situation in which i need to enable the claim based authentication for the existing web application which has windows authentication. From the central administration there is no way or option to enable it. This can be achieved only by the powershell script.

$WebAppName = “http://yourWebAppUrl”
$wa = get-SPWebApplication $WebAppName
$wa.UseClaimsAuthentication = $true
$wa.Update()

The above code will enable the claims based authentication to the existing web application. But once enabled when try to Login the user might get Access Denied Error. This is because the users are stored in the different format in the claims based authentication.

Need to execute the below commands to migrate all the users from existing windows user to the claim based.

Warning: Once migrated it will change the user information in all the content databases. This change is permanent.

$account = “yourDomain\yourUser”
$account = (New-SPClaimsPrincipal -identity $account -identitytype 1).ToEncodedString()
$wa = get-SPWebApplication $WebAppName
$zp = $wa.ZonePolicies(“Default”)
$p = $zp.Add($account,”PSPolicy”)
$fc=$wa.PolicyRoles.GetSpecialRole(“FullControl”)
$p.PolicyRoleBindings.Add($fc)
$wa.Update()

$wa.MigrateUsers($true)
$wa.ProvisionGlobally()

Revert Back from Claims Authentication to Windows.

$WebAppName = “http://yourWebAppUrl”
$wa = get-SPWebApplication $WebAppName
$wa.UseClaimsAuthentication = $false
$wa.Update()

The above code will only revert back the web application. But the users are not migrated. Need to convert back to the windows user. But when i tried MigrateUsers($false) i got the below error

image

So we cannot use that method to revert the users. So i followed the approach given in the blog below

http://sharepointegg.blogspot.sg/2011/01/reverting-claim-based-authentication-to.html

Basically use the stsadm command and strip off the unwanted text before the user name in the site collection

Below is the code taken from that blog.

public Program(string url)
{
    using (SPSite site = new SPSite(url))
    {
        using (SPWeb web = site.RootWeb)
        {
            foreach (SPUser user in web.AllUsers)
            {
                string username = GetClaimBasedUserName(user);
                if (!username.Equals(string.Empty))
                {
                    Console.Write(“Migrating {0} to {1}…”, user.LoginName, username);
                    try
                    {
                        SPFarm Farm = SPFarm.Local;
                        Farm.MigrateUserAccount(user.LoginName, username, false);
                        Console.WriteLine(“Done”);
                    }
                    catch (Exception ex)
                    {
                        Console.WriteLine(ex.Message);
                    }
                }
            }
        }
    }
}
 
private string GetClaimBasedUserName(SPUser user)
{
    string username = string.Empty;
    try
    {
        if (user.IsDomainGroup)
        {
            if (user.LoginName.StartsWith(“c:0+.w|”))
            {
                username = user.Name;
            }
        }
        else
        {
            if (user.LoginName.StartsWith(“i:0#.w|”))
            {
                username = user.LoginName.Substring(7);
            }
        }
    }
    catch
    {
 
    }
    return username;
}

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s