Azure, Open Source and ...

Upgrading a windows auth MOSS 2007 web application to a SharePoint Server 2010 web application in claims mode (AD FS 2.0)

Recently I was asked by a customer on the steps required to upgrade content from MOSS 2007 (Windows auth) web application to SharePoint server 2010 and providing access to the sites and my sites for same users and groups via AD FS 2.0. For this post I am not going through steps for configuring AD FS 2.0 and adding a trusted identity provider in SharePoint 2010 and assume that:

  • All users and groups are part of Contoso domain
  • Portal and My sites are being upgraded to SharePoint 2010
  • AD FS 2.0 is already configured and uses Contoso AD as its attribute store
  • Relying partner trusts created for Portal and My Sites
  • Windows Account Name and Role claims are configured to be sent to each relying party
  • A trusted identity provider configured in the SharePoint Server 2010 farm using using New-SPTrustedIdentityTokenIssuer cmdlet

Following is a list of tasks required to successfully upgrade the content and migrate users and groups from Windows auth to AD FS 2.0:

  • Provision separate web applications in claims mode (Windows auth) for Portal (http://portal.contoso.com) and My Sites (http://my.contoso.com)
  • Upgrade Portal and My Site content databases using Mount-SPContentDatabase cmdlet
  • Migrate all user profiles by provisioning a new User Profile SA using existing MOSS 2007 SSP database and by running New-SPProfileServiceApplication cmdlet
  • Migrate all users and groups to Windows Claims mode for both web applications by running SPWebApplication.MigrateUsers($True)
  • Verify that users and member of groups have access to Portal and their My sites using Windows authentication
  • For each web application add the trusted identity provider as claims authentication type
  • Migrate the users from Windows claim encoding to AD FS 2.0 by using Move-SPUser cmdlet
  • example:

$user=Get-SPUser -Web https://portal.contoso.com -Identity "i:0#.w|contoso\JohnD"
move-spuser -Identity $user  -NewAlias "i:0ǹ.t|adfs20server|JohnD"  -ignoresid

  • For groups use SPFarm.MigrateGroup method
  • example


  • At this point all members of those groups should be able to login using AD FS 2.0 and have access to content and be able to view their user profile information and personal sites


I should note that further assessment and testing required in regards to other services such as Search, Excel services, etc.