Upgrading a windows auth MOSS 2007 web application to a SharePoint Server 2010 web application in claims mode (AD FS 2.0)

Recently I was asked by a customer on the steps required to upgrade content from MOSS 2007 (Windows auth) web application to SharePoint server 2010 and providing access to the sites and my sites for same users and groups via AD FS 2.0. For this post I am not going through steps for configuring AD FS 2.0 and adding a trusted identity provider in SharePoint 2010 and assume that:

  • All users and groups are part of Contoso domain
  • Portal and My sites are being upgraded to SharePoint 2010
  • AD FS 2.0 is already configured and uses Contoso AD as its attribute store
  • Relying partner trusts created for Portal and My Sites
  • Windows Account Name and Role claims are configured to be sent to each relying party
  • A trusted identity provider configured in the SharePoint Server 2010 farm using using New-SPTrustedIdentityTokenIssuer cmdlet

Following is a list of tasks required to successfully upgrade the content and migrate users and groups from Windows auth to AD FS 2.0:

  • Provision separate web applications in claims mode (Windows auth) for Portal (http://portal.contoso.com) and My Sites (http://my.contoso.com)
  • Upgrade Portal and My Site content databases using Mount-SPContentDatabase cmdlet
  • Migrate all user profiles by provisioning a new User Profile SA using existing MOSS 2007 SSP database and by running New-SPProfileServiceApplication cmdlet
  • Migrate all users and groups to Windows Claims mode for both web applications by running SPWebApplication.MigrateUsers($True)
  • Verify that users and member of groups have access to Portal and their My sites using Windows authentication
  • For each web application add the trusted identity provider as claims authentication type
  • Migrate the users from Windows claim encoding to AD FS 2.0 by using Move-SPUser cmdlet
  • example:

$user=Get-SPUser -Web https://portal.contoso.com -Identity "i:0#.w|contoso\JohnD"
move-spuser -Identity $user  -NewAlias "i:0ǹ.t|adfs20server|JohnD"  -ignoresid

  • For groups use SPFarm.MigrateGroup method
  • example


  • At this point all members of those groups should be able to login using AD FS 2.0 and have access to content and be able to view their user profile information and personal sites


I should note that further assessment and testing required in regards to other services such as Search, Excel services, etc.

Comments (3)

  1. brwalias says:

    This is very helpful.  I'm actually seeking something very similar that requires configuring MOSS 2007 MySites using ADFS.  Recommend any concrete references to go about configuring?



  2. TomResing says:


    Thanks for the detailed documentation.

    What are the benefits of moving from Windows Auth to AD FS 2.0? That seems like a lot of work.


  3. Ali Mazaheri says:

    For MOSS 2007 TechNet has some materials but as you might know our story in SP 2010 is differnet…

    @Tom, agree with your point, and this just touches the surface. I know BPOS-D is moving to this direction but not sure this is really a valuable approach jut for the sake of using AD FS 2.0 😉

Skip to main content