.NET Tutorials, Forums, Interview Questions And Answers
Welcome :Guest
Sign In
Win Surprise Gifts!!!

Top 5 Contributors of the Month
Gaurav Pal
Post New Web Links

Migrate from Classic to Claims based authentication

Posted By:      Posted Date: September 03, 2010    Points: 0   Category :SharePoint
So this is really an outside the normal question and I am hoping someone has some thoughts. I am going to be upgrading a MOSS 2007 farm to MSS2010. I have to move hardware so I will be using the content database attach method for upgrade. The site is current extended to a second IIS Application to support both window and Forms based authentication. Since this is an intranet, unique security is used at the site level (and occasionally at the doc lib level). I want to take advantage of Claims Based Authentication (and use one URL, plus other benefits). I am well aware that that claims based token is not the same as the windows token even though the NTLM user is really the same. Thus that is what presents the issue. I need to "migrate" all of my current NTLM-Classic users to claims based. My first thought is to read the users added to each site (actually role assignments), find all users that have the domain name at the beginning of the member name and add a new users (appending the i:0#.w| to the beginning of the loginname) to the site. This works beautifully and is succesful. The problem arises in the that the role assignments contains SharePoint groups (which we don't use much) and AD groups. the SharePoint groups are ok (yes, I have to migrate the users in them too, but no problem). The AD groups are added via SID when it is claims based. This presents the probl

View Complete Post

More Related Resource Links

migrate from windows to forms in claims based authentication


Hi friends,

               I am using sharepoint2010 forms based authenticaion (claims based) configure all the web.config files and its working fine.Now I want to change this applicaion to windows authentication (claims) what are the things to follow to change the application to windows and vice versa.I refer few links but they are referring from  classic to claims and many other things not my req..!



Claims Tips: Learning About Claims-Based Authentication in SharePoint 2010

Use these five tips for guidance in solving problems related to using and configuring claims.

Sample: SharePoint Claims-Based Authentication

Explore the code as you learn how to create a custom security token service (STS) and set up a trust relationship between a SharePoint 2010 farm and the custom STS.

AutoLogin for authenticated user via LiveID in Sharepoint 2010 (Claims Based Authentication)

Hi,     Im working in integrating LiveID authentication in my Sharepoint site. Live id gives back a token of the user with which i created a dummy profile using MembershipProvider.CreateUser. Now i have to auto login the user with the profile i created, i mean i have to force login to my sharepoint site using the created dummy user details without asking the user to give username n password.Any suggestion will be a great help for me to proceed.   Thanks Saravanan Michael

Should I use claims based authentication?

I'm about to setup a web application to host a public facing website. Internal staff will authenticate to the site via Active Directory and we may have a need to allow external users to access "authenticated" parts of the site. To authenticate them we plan to use Windows Live ID. With that in mind,: is it better to set the web application up to use claims based authentication from the start rather than having to change it later? is there anything available as of yet to setup SharePoint 2010 to authenticate against Windows Live ID using claims based authentication?

How do I use PowerShell to configure Web.Config for forms-based authentication for a Claims Based we

This TechNet article does a great job describing how to Configure forms-based authentication for a claims-based Web application using PowerShell. However, it glosses over editing the web.config file by just saying "Find the <Configuration> <system.web> section and add the following entry:" Is it possible to edit the web.config file using PowerShell using the IIS PowerShell snapin or can I just edit the web.config file as a xml document? This succeeds in adding the element, but only with the name and type. It does not add the connectionStringName or the applicationName import-module webadministration Add-WebConfiguration /system.web/membership/providers "IIS:\sites\[site name]" -value @{name="FBAMembershipProvider";` type="System.Web.Security.SqlMembershipProvider, System.Web, Version=, Culture= neutral, PublicKeyToken= b03f5f7f11d50a3a";` connectionStringName="FBAconn";` applicationName="/"} Does anyone any suggestions on a direction to go to add the membership providers and role providers in the web.config using PowerShell? This is very frustrating because I can do it manually, I can do it through the UI in IIS Manager, I can do it using appcmd, but no matter what I do, I can't get it to work using PowerShell.  

SharePoint 2010 Claims Based Authentication - anonymous site is prompting for CBA auth when opening

Hi, I have CBA setup successfully on my sites.  One site is setup for anonymous access and I have disabled "client integration" on that web application. I have a list of MS Office documents on a wiki.  When I click on one I am asked to either save or open or cancel.  Saving works fine but when I choose open, it launches the associated MS Office app.  I am then prompted for a login from CBA.  I can click cancel and the logon screen appears again.  After clicking cancel the 2nd time the document appears in the MS Office app, Word in this case. My question is how do I prevent my users from being prompted for a CBA login when clicking on these files and opening them in the native app on their machine?      --TR

Regarding Claims Based Authentication in sharepoint2010

Hey, i have an web application which is in classic mode. now i want to extend same application as claims mode? can you please sugguest me a proper process Thanks in Advance!Share Knowledge and Spread Love!

Claims Based Authentication

I have successfully gotten my sharepoint site to use claims-based authentication, but now I am trying to configure it so it works. Right now I can't connect locally or from my extranet. I am following this guide: http://technet.microsoft.com/en-us/library/ee806890.aspx I haven't changed my web.config files yet, because I don't know what information I need to fill in.  There are a lot of places that say, your server here, and I need to put in some OUs and whatnot.  I don't know what info I am supposed to put in. First of all, I don't know what server I am supposed to put in. Do I need my domain controller there, my sharepoint server, my sql server?  I am guessing the part with the OUs is active directory stuff, so that would imply I use my domain controller.  I have already used the aspnet_regsql application to create a database, but I am not really sure what I am supposed to do with it. Is there a guide somewhere that explains things better, or could someone help me out?    Here is the code: <membership defaultProvider="AspNetSqlMembershipProvider"> <providers> <add name="membership" type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=, Culture=neutral, PublicKeyToken=71e9bce111e9429c" server="yourserver.com"

Changed to claims based authentication, now I can't access my site. Please help! Time is of the ess

I am in a pretty big bind. I have a sharepoint 2010 site, that was using classic windows authentication. It worked fine from the inside, and I was able to extend it to the outside and it was using https with an SSL certificate. However, my performancepoint reports and my external lists weren't working when the site was accessed from the outside. Apparently this is a known issue with using classic authentication on the outside, so I tried to switch over to claims based authentication. I followed this guide: http://blogs.technet.com/b/wbaer/ar...point-2010.aspx I obviously changed the contoso stuff to my domain name, and changed all of the config files. The problem is, now I can't access the site at all from the inside or the outside. Here is the error I get in my logs: code: An exception occurred when trying to issue security token: Could not connect to [url]http://localhost:32843/SecurityTokenServiceApplication/securitytoken.svc/actas.[/url] TCP error code 10061: No connection could be made because the target machine actively refused it . My Sharepoint Central Administration site gives me this warning: code: The Security Token Service is not issuing tokens. The service could be malfunctioning or in a bad state. Remedy Administrator should try to restart the Security Token Service on the boxes where it is not issuing tokens. If problem persists, f

Claims Based Authentication with ADFS 2.0


I have setup the claims based environment with ADFS 2.0, everything is working fine but when i select my claims in the people picker its not validating weather the claim exists or not. its showing what ever i enter, as a result in the people picker page. I want to check if the claim exists then only the claim should be shown as a result and resolved.

can anyone guide me how to start and where to make modifications. So that i can pick claims only which i have created or existing.

Claims Based Authentication - Access Denied for NTLM - Network Related



We have setup a test SharePoint environment on a single box. If we create a new classic authentication web application using NTLM the site works fine, and recognizes AD users correctly. Users can then login successfully. If we create a new claims based authentication web application using NTLM all users receive an Access Denied error when trying to view the site. The application will recognize AD users when applying permissions in Central Admin's User Policy section, but none of those users are able to access the site.

If I turn on Fiddler Capture, the sites will work fine. Once I turn it off the sites no longer work and we are again presented with an Access Denied exception (or sometimes 403 Forbidden in Firefox and Chrome). I know that Fiddler create a local proxy so I'm curious what that proxy is doing that allows claims based to work correctly.

Has anyone seen this before? Does this sound Firewall/Antivirus related? Client or server?

Thank you,



How to get SharePoint file conent by URL from web applications with claims based authentication conf



I am using next code to get SharePoint document content:

using (System.Net.WebClient objWebClient = new System.Net.WebClient())
                    objWebClient.Credentials = new System.Net.NetworkCredential("username", "password", "domain");
                    using (System.IO.BinaryReader file = new System.IO.BinaryReader(objWebClient.OpenRead("http://machine_name:10000/Shared%20Documents/some_file.txt")))
                        //Read file stream

Windows Identity Foundation (Claims Based Authentication) for Reporting Services



I see that SQL Server 2008 R2 Reporting Services now supports Claims Based Authentication in Sharepoint 2010, meaning that end users can authenticate with Sharepoint using Claims Based Authentication, and use the same security tokens to connect through to Reporting Services.

I assume that behind the scenes Sharepoint is using Windows Identity Foundation (WIF - formerly codenamed "Geneva") to handle the authentication, and passing this on to Reporting Services.

I'm keen to use Windows Identity Foundation to authenticate with Reporting Services without Sharepoint. We have an existing ASP.NET web application, and we'd like to call Reporting Services from that, passing on the Windows Identity Foundation credentials of the user logged into our web application.

I've done some work on setting up a custom security extension using Forms Authentication (based on the sample), but am not sure how to proceed from there.

Google/Bing hasn't been helpful. Can you please point me to some guidance on how to set up Windows Identity Foundation authentication for Reporting Services?<

Claims Based Authentication (CBA) and Web Services Authentication


I'm planning to use CBA to do authentication and authorization to a document library.  For example, if you have the claim type 'location' equal to 'London' then you are granted access to a folder.  Simple, and it works great from the out-of-the-box web browser interface. 

The question is, can the Web Services interfaces also accept a signed SAML token and use those attribute to do authentication and authorization?  I would prefer to use the CMIS interface where possible.  I understand that the web services are based on WCF, which leads me to believe I can just modify the web.config to add in WCF directives for ws2007HttpBinding->security->message, but will the SP web services code respond by using the identity in the message? 

What I have noticed so far, is that the CMIS interface has directives for only impersonation only.  Since CBA identities do not map to windows accounts, I thinking I'm barking up the wrong tree.  I'm not dead set on CMIS, so if there are other web services available to do CBA, I'm all ears.

There's not a lot of practical material on this, and I'm currently working on a PoC to acheive this goal.  Any help would be greatly appreciated. 



Making Claims based authentication work with multi-tenant environment in SP 2010


Does anybody know of a guide or reference for setting up hosting in a multi tenant where authentication happens in claims based mode?


We have a setup where our clients are hosted on a single web application under different site collections. And we use forms authentication where user of a particular site collection gets authentication using the respective database. We now want to use claims based authentication and out-of-the-box multi-tenancy of SP 2010. We can setup site collections and site groups, but how do we implement claims based authentication in an env like this?

Claims based authentication and persistent cookies


We recently upgraded our MOSS Forms based web application to SharePoint 2010. In MOSS, we had a custom login page and in here we would create a persistent cookie  named .ASPXAuth (valid for 365 days) if the user selected remember me while logging in. If remember me was not selected, then we would a normal session based cookie which would have a timeout period as specified in the web.config.

With Claims based applications, this technique has considerably changed. Because of the STS service which is now responsible for creating the tokens (and automatically creates a cookie called FedAuth with a specified lifetime as per the STS settings, how do I replicate the MOSS 2007 custom login page functionaliy ?

Any code examples will be helpful....My login page functionaliy is simillar to the one discussed in the below link:



ASP.NetWindows Application  .NET Framework  C#  VB.Net  ADO.Net  
Sql Server  SharePoint  Silverlight  Others  All   

Hall of Fame    Twitter   Terms of Service    Privacy Policy    Contact Us    Archives   Tell A Friend