Don't do SharePoint multi-tenancy without claims-based authentication

As you can see from my 2 previous posts (UPS, host-name site collections and search), I've been toying with Multi-tenancy on SharePoint 2010 and trying out different options.  If you don't know about multi-tenancy in SharePoint 2010, go read Spencer Harbar's series here: https://www.harbar.net/archive/2010/09/14/rational-guide-to-multi-tenancy-with-sharepoint-2010-part-six.aspx. 

While adding tenants, if you are logged as a Farm Administrator (that has all the necessary permissions), I would get an error on the New-SPSite command for the member site!  Looking at the ULS logs, I could see an Access Denied exception in the TaxonomyFieldAdded feature receiver.  I looked at the MMSA & UPA permissions in all shapes and forms and couldn't figure out what was the problem.  The only way I could add a tenant was using the Farm account ==> which is really bad.  As it turns out, while working on the search crawl issue (previous post), I switched my classic authentication web application to Claims-Based authentication and it also fixed this problem.

So the rational of this, and it was a recommendation to begin with (but hey, I had the option so I tried classic authentication anyway :)), use Claims-Based Authentication for Multi-Tenancy in SharePoint.  While you can make it work with classic authentication, it will require a dedicated search crawl account + crawl rule per tenant, and it will require you to add tenants with the Farm account, which isn't recommended.

Note: if you do a single farm, you can have classic mode authentication working fine for at least the web application user policies.

Happy tenancy!