Migrating User Forms Based Permissions in 2010 Upgrade

So not everything gets upgraded in the RTM build of 2010.  Seems the usernames and permissions end up getting lost when you upgrade.  There are several things you have to do to get your upgraded forms based authentication to work:

First error you will get is "Forms Based Authentication on classic Web applications has been deprecated."  this is solvable by opening SharePoint 2010 Management Shell to upgrade the web application to use claims based authentication

$w = Get-SPWebApplication "http://webappurl/"
$w.UseClaimsAuthentication = $true;
$w.Update()
$w.ProvisionGlobally()

Second thing is to enable your forms based auth in the SecurityToken Service as in my other blog post

Next you need to ensure that your settings are valid in the Framework64 directory if you are using the machine.config to propagate your sql server settings for Aspnetsqlmembership.  This changed as SharePoint is now 64bit, and not 32bit.

Once this is done, you will NOT be able to login!  Why?  Because the internal naming of the user you have setup as the site collection administrator was tied to the old aspnetsqlmembershipprovider:username naming scheme in the databases.  The new naming convention is  i:0#.f|aspnetsqlmembershipprovider|username

How do you update this?  well, other than going into the database and updating it directly, you really have only one other choice, remove and add each user!  If you have 100's of users, if not 1000's, well your in for a long day!  Luckily, I wrote a nice little powershell script that goes in and adds/removes all the users.  Here it is (as with anything, use at your own discretion):

$spweb = get-spweb "webappurl"
foreach($spgroup in $spweb.groups)
{
write-host $spgroup.name

foreach($spuser in $spgroup.users)
{
write-host "Migrating: " $spuser.name
$newuser = $spweb.ensureuser($spuser.name)
write-host "SPUser=" $spuser
write-host "NewUser=" $newuser
write-host "Adding user:" $newuser.name " to group: " $spgroup.name
$spgroup.adduser($newuser)
if ( $newuser.userlogin -ne $spuser.userlogin)
{
write-host "Removing old user:" $spuser.name " from group: " $spgroup.name
$spgroup.removeuser($spuser)
}
}
}

Leave a Reply