Sharepoint 2010 Web Application Modes - Classic vs Claims

Sharepoint web applications can be configured in one of two modes for authentication, here are a few of the differences between these modes

1. Classic - supports Windows Authentication NTLM

2. Claims

1. Windows Authentication NTLM
2. Windows Authentication Kerberos
3. Forms Based
4. External Auth(e.g. Windows Live ID)

Microsoft's instructions for changing the mode of a Sharepoint web application

To convert Web applications to claims-based authentication

From the Windows PowerShell command prompt, type the following:

 $WebAppName = "http:// yourWebAppUrl"

 $account = "yourDomain\yourUser"

 $wa = get-SPWebApplication $WebAppName

 Set-SPwebApplication $wa -AuthenticationProvider (New-SPAuthenticationProvider) -Zone Default

At the Migration prompt, click Yes to continue.

From the Windows PowerShell command prompt, type the following to set the user as an administrator for the site:

 $wa = get-SPWebApplication $WebAppName

 $account = (New-SPClaimsPrincipal -identity $account -identitytype 1).ToEncodedString()

From the Windows PowerShell command prompt, type the following to configure the policy to enable the user to have full access:

 $zp = $wa.ZonePolicies("Default")

 $p = $zp.Add($account,"PSPolicy")

 $fc=$wa.PolicyRoles.GetSpecialRole("FullControl")

 $p.PolicyRoleBindings.Add($fc)

 $wa.Update()

From the Windows PowerShell command prompt, type the following to perform user migration:

 $wa = get-SPWebApplication $WebAppName

 $wa.MigrateUsers($true)

Additional migration guidelines

After you perform the steps in the previous procedures, you might experience one or more of the following issues.

Users who submit valid credentials might be notified that they do not have permissions. If this occurs, the portalsuperuseraccount property and the portalsuperreaderaccount property of the Web application were probably configured prior to migration. If this is the case, you must update the portalsuperuseraccount property and the portalsuperreaderaccount property to use the new claims-based account name. After migration, you can find the new claims-based account name in the Web application policy for the migrated Web application.

If existing alerts are not invoked after migration, you might have to delete and recreate the alerts.

If Search crawl does not function after migration, make sure the Search crawl account lists the new converted account name. If the new converted account name is not listed, you must manually create a new policy for the crawl account.