a·gen·tic a·gil·i·ty

SharePoint 2013 Issue - After migration from 2010 user permission not working

TL;DR; After migrating from SharePoint 2010 to 2013, users may face permission and authentication issues due to changes in claims-based authentication settings.

Published on
2 minute read
Image
https://nkdagility.com/resources/M-S-kXIX-ar
Subscribe

Users coming from a SharePoint 2010 system that try to access SharePoint 2013 after a migration receive a “this site has not been shared with you” message. This mean that they are not able to authenticate to SharePoint 2013.

Further you see authentication issues with user profiles not matching recent changes to Active Directory.

Applies to

Findings

Man this was a hard one. I was searching for ages and pulling my hair out when Tushar Malu found some awesome information that saved my bacon.

In SharePoint 2013 there is a new authentication mechanism called Claim based authentication. Be default through the UI all Applications are created in this mode. There is a way to create web applications that use classic mode authentication in SharePoint 2013 but if you have already created your application tier and you import a Collection from a SharePoint 2010 server then you might find that no one can access your server at all.

After you have imported your SharePoint 2010 data into SharePoint 2013 with the “Mount-SPContentDatabase” command you then need to update all of the user accounts as per:

This while fairly simple is a little difficult to fins and figure out and I spent many hours trying to configure SharePoint User Profile Synchronisation to no avail. In fact all you need is a simple PowerShell to do the synchronisation.

Solution

Although finding this was not simple the execution is. I created a PowerShell script that loops through all of your SharePoint 2013 web applications and upgrades each one to claim’s based authentication.

 1 Param(
 2    [string]  $account = $(Read-Host -prompt "UserAccount")
 3    )
 4Add-PSSnapIn Microsoft.SharePoint.PowerShell
 5
 6foreach ($wa in get-SPWebApplication)
 7{
 8    Write-Host "$($wa.Name) | $($wa.UseClaimsAuthentication )"
 9    #http://technet.microsoft.com/en-us/library/gg251985.aspx
10    $wa.UseClaimsAuthentication = $true
11    $wa.Update()
12    $account = (New-SPClaimsPrincipal -identity $account -identitytype 1).ToEncodedString()
13    $zp = $wa.ZonePolicies("Default")
14    $p = $zp.Add($account,"PSPolicy")
15    $fc=$wa.PolicyRoles.GetSpecialRole("FullControl")
16    $p.PolicyRoleBindings.Add($fc)
17    $wa.Update()
18    $wa.MigrateUsers($true)
19    $wa.ProvisionGlobally()
20}

These commands tool less than 10 minutes to run on 3 content databases with nearly 100GB of data. In addition some bright spark had added “NT AuthorityAuthenticated Users” to one of the main sites ‘”Contributors” group. While this sounds like something that I would do, if I had done it I would have added them to “Readers”…

Smart Classifications

Each classification [Concepts, Categories, & Tags] was assigned using AI-powered semantic analysis and scored across relevance, depth, and alignment. Final decisions? Still human. Always traceable. Hover to see how it applies.

Subscribe

Connect with Martin Hinshelwood

If you've made it this far, it's worth connecting with our principal consultant and coach, Martin Hinshelwood, for a 30-minute 'ask me anything' call.

Our Happy Clients​

We partner with businesses across diverse industries, including finance, insurance, healthcare, pharmaceuticals, technology, engineering, transportation, hospitality, entertainment, legal, government, and military sectors.​

Hubtel Ghana Logo

Hubtel Ghana

Philips Logo

Philips

Slaughter and May Logo

Slaughter and May

Ericson Logo

Ericson

Schlumberger Logo

Schlumberger

Lockheed Martin Logo

Lockheed Martin

ProgramUtvikling Logo

ProgramUtvikling

Trayport Logo

Trayport

Flowmaster (a Mentor Graphics Company) Logo

Flowmaster (a Mentor Graphics Company)

Xceptor - Process and Data Automation Logo

Xceptor - Process and Data Automation

Teleplan Logo

Teleplan

Workday Logo

Workday

New Signature Logo

New Signature

Emerson Process Management Logo

Emerson Process Management

Cognizant Microsoft Business Group (MBG) Logo

Cognizant Microsoft Business Group (MBG)

MacDonald Humfrey (Automation) Ltd. Logo

MacDonald Humfrey (Automation) Ltd.

Genus Breeding Ltd Logo

Genus Breeding Ltd

Capita Secure Information Solutions Ltd Logo

Capita Secure Information Solutions Ltd

Washington Department of Enterprise Services Logo

Washington Department of Enterprise Services

New Hampshire Supreme Court Logo

New Hampshire Supreme Court

Washington Department of Transport Logo

Washington Department of Transport

Department of Work and Pensions (UK) Logo

Department of Work and Pensions (UK)

Royal Air Force Logo

Royal Air Force

Ghana Police Service Logo

Ghana Police Service

Hubtel Ghana Logo

Hubtel Ghana

Lockheed Martin Logo

Lockheed Martin

Capita Secure Information Solutions Ltd Logo

Capita Secure Information Solutions Ltd

Ericson Logo

Ericson

Sage Logo

Sage

Microsoft Logo

Microsoft