On an existing web application that is configured o run in Classic Mode authentication, if NTLM is the authentication provider, if you want to switch to Claims, you need to run the following script:
$WebAppName = "http://serverurl"
$account = "domain\administrator"
$wa = get-SPWebApplication $WebAppName
Set-SPwebApplication $wa -AuthenticationProvider
(New-SPAuthenticationProvider) -Zone Default
--wait here for the prompt to migrate users and answer YES
$wa = get-SPWebApplication $WebAppName
$account = (New-SPClaimsPrincipal -identity $account -identitytype 1).ToEncodedString()
$zp = $wa.ZonePolicies("Default")
$p = $zp.Add($account,"PSPolicy")
$fc=$wa.PolicyRoles.GetSpecialRole("FullControl")
$p.PolicyRoleBindings.Add($fc)
$wa.Update()
$p = $zp.Add($account,"PSPolicy")
$fc=$wa.PolicyRoles.GetSpecialRole("FullControl")
$p.PolicyRoleBindings.Add($fc)
$wa.Update()
$wa = get-SPWebApplication $WebAppName
$wa.MigrateUsers($true)
$wa.MigrateUsers($true)
In order to test if this has gone through:
- check the web.config, if the new Membership Provider section for Claims has been added
- log in as a site user, make sure that if you navigate to My Settings, you see the token format of the user, rather than domain\user
- go to Central Administration and check that the Default Zone is set to Claims
- in Central Administration, make sure in User Profiles that there are no duplicate accounts (the migration part of this script should take care of this)
No comments:
Post a Comment