Free workshop
Guaranteed
Introduction to Agility and Building Awesome Teams
5 August , 2021 | 16:00–17:30 | Europe [ BST ] Workshop Beginner 90 Minutes

SharePoint 2013 Issue – After migration from 2010 user permission not working

Audience

No items found

Table of Contents

Users coming from a SharePoint 2010 system that try to access SharePoint 2013 after a migration receive a “this site has not been shared with you” message. This mean that they are not able to authenticate to SharePoint 2013.

Further you see authentication issues with user profiles not matching recent changes to Active Directory.

Applies to

  • SharePoint 2013
  • SharePoint 2010 Upgrade to 2013

Findings

Man this was a hard one. I was searching for ages and pulling my hair out when Tushar Malu found some awesome information that saved my bacon.

In SharePoint 2013 there is a new authentication mechanism called Claim based authentication. Be default through the UI all Applications are created in this mode. There is a way to create web applications that use classic mode authentication in SharePoint 2013 but if you have already created your application tier and you import a Collection from a SharePoint 2010 server then you might find that no one can access your server at all.

After you have imported your SharePoint 2010 data into SharePoint 2013 with the “Mount-SPContentDatabase” command you then need to update all of the user accounts as per:

This while fairly simple is a little difficult to fins and figure out and I spent many hours trying to configure SharePoint User Profile Synchronisation to no avail. In fact all you need is a simple PowerShell to do the synchronisation.

Solution

Although finding this was not simple the execution is. I created a PowerShell script that loops through all of your SharePoint 2013 web applications and upgrades each one to claim’s based authentication.

 Param(
    [string]  $account = $(Read-Host -prompt "UserAccount")
    )
Add-PSSnapIn Microsoft.SharePoint.PowerShell

foreach ($wa in get-SPWebApplication)
{
    Write-Host "$($wa.Name) | $($wa.UseClaimsAuthentication )"
    #http://technet.microsoft.com/en-us/library/gg251985.aspx
    $wa.UseClaimsAuthentication = $true
    $wa.Update()
    $account = (New-SPClaimsPrincipal -identity $account -identitytype 1).ToEncodedString()
    $zp = $wa.ZonePolicies("Default")
    $p = $zp.Add($account,"PSPolicy")
    $fc=$wa.PolicyRoles.GetSpecialRole("FullControl")
    $p.PolicyRoleBindings.Add($fc)
    $wa.Update()
    $wa.MigrateUsers($true)
    $wa.ProvisionGlobally()
}

These commands tool less than 10 minutes to run on 3 content databases with nearly 100GB of data. In addition some bright spark had added “NT AuthorityAuthenticated Users” to one of the main sites ‘”Contributors” group. While this sounds like something that I would do, if I had done it I would have added them to “Readers”…

Create a conversation around this article

Share on facebook
Share on Facebook
Share on twitter
Share on Twitter
Share on linkedin
Share on Linkdin
Share on pinterest
Share on Pinterest

Want to learn more?

Check out the many training classes that we have.

Core
No items found
Advanced
No items found

OUR TEAM

We believe that every company deserves high quality software delivered on a regular cadence that meets its customers needs. Our goal is to help you reduce your cycle time, improve your time to market, and minimise any organisational friction in achieving your goals.

naked Agility Limited is a professional company that offers training, coaching, mentoring, and facilitation to help people and teams evolve, integrate, and continuously improve.

We recognise the positive impact that a happy AND motivated workforce, that has purpose, has on client experience. We help change mindsets towards a people-first culture where everyone encourages others to learn and grow. The resulting divergent thinking leads to many different ideas and opportunities for the success of the organisation.