As you can see from my 2 previous posts (UPS, host-name site collections and search), I’ve been toying with Multi-tenancy on SharePoint 2010 and trying out different options. If you don’t know about multi-tenancy in SharePoint 2010, go read Spencer Harbar’s series here: http://www.harbar.net/archive/2010/09/14/rational-guide-to-multi-tenancy-with-sharepoint-2010-part-six.aspx.
While adding tenants, if you are logged as a Farm Administrator (that has all the necessary permissions), I would get an error on the New-SPSite command for the member site! Looking at the ULS logs, I could see an Access Denied exception in the TaxonomyFieldAdded feature receiver. I looked at the MMSA & UPA permissions in all shapes and forms and couldn’t figure out what was the problem. The only way I could add a tenant was using the Farm account ==> which is really bad. As it turns out, while working on the search crawl issue (previous post), I switched my classic authentication web application to Claims-Based authentication and it also fixed this problem.
So the rational of this, and it was a recommendation to begin with (but hey, I had the option so I tried classic authentication anyway :)), use Claims-Based Authentication for Multi-Tenancy in SharePoint. While you can make it work with classic authentication, it will require a dedicated search crawl account + crawl rule per tenant, and it will require you to add tenants with the Farm account, which isn’t recommended.
Note: if you do a single farm, you can have classic mode authentication working fine for at least the web application user policies.