Note: This post is based on Beta 2 and is subject to change in future releases.
When upgrading MOSS 2007 FBA sites based on publishing templates, you need to run “MigrateUsers” method against the web application hosting the site to migrate users and permissions in the userinfo table. For publishing sites by default two separate accounts (portalsuperuseraccount and portalsuperreaderaccount) being used for caching, by default super users account is the site’s System Account and the default super reader user is NT Authority\Local Service, while these two accounts work post upgrade for web application in classic mode however they are not correctly resolved in a claims auth application after running the “MigrateUsers” method and as a result browsing to site collections hosted by the web application will result in an “Access Denied” even for the site collection admin.
To resolve this issue you need to:
- Create two separate windows accounts in AD that are not being used to login to the site
- Give “Full” permission and “Full Read” permission to each user respectively through web application user policy settings
- Assign the user with full permission to “PortalSuperUserAccount” property and the user with full read permission to “PortalSuperReaderAccount” property
- Update the web application and do an IISRESET.