Transcript Learn •Upgrade methods •New capabilities •Downtime mitigation Validate •Troubleshooting •Upgrade event failures •UI/UX issues •Data issues Implement •Build/upgrade farms •Deploy customizations •Minimize downtime •Monitor progress Prepare •Document environment •Manage customizations •Plan upgrade strategy •Make items upgradable Test •Build test farms •Use.

Learn
•Upgrade methods
•New capabilities
•Downtime mitigation
Validate
•Troubleshooting
•Upgrade event failures
•UI/UX issues
•Data issues
Implement
•Build/upgrade farms
•Deploy customizations
•Minimize downtime
•Monitor progress
Prepare
•Document environment
•Manage customizations
•Plan upgrade strategy
•Make items upgradable
Test
•Build test farms
•Use real data
•Evaluate techniques
•Find issues early
From/To
Classic
Windows
Claims
FBA
SAML
Claims




Windows Claims




FBA




SAML Claims




Classic
 = Requires IMigrateUserCallBack or additional configuration
Today's Talk
Migrate web application
• Update to use Claims Mode
• Update web application policy
For each content DB
For each SP Site
For each user
• Update UserInfo table
• Update All Users Table
From
To
Method
Prep
Optional
WARNING: The Windows Classic authentication method is deprecated in this release and the default
behavior of this cmdlet, which creates Windows Classic based web application, is obsolete. It is
recommended to use Claims authentication methods. You can create a web application that uses Claims
authentication method by specifying the AuthenticationProvider parameter set in this cmdlet. Refer to
the http: //go.microsoft.com/fwlink/?LinkId=234549 site for more information. Please note that the
default behavior of this cmdlet is expected to change in the future release to create a Claims
authentication based web application instead of a Windows Classic based web application.
Still using classic auth.
Really?
From
To
Method
Prep
Optional
Option 1 (Recommended) Option 3
Option 2
Option 4 (Don’t Move, Go
to the Cloud)
Create a classic Web App
New-SPWebApplication -Name $webAppName AuthenticationMethod NTLM …
New-SPWebApplication -Name $webAppName AuthenticationMethod KERBEROS…
Create a Windows Claims Web App
New-SPWebApplication -Name $webAppName -AuthenticationProvider (New-SPAuthenticationProvider) …
This script may have been modified from its original
version to fit your screen
$webAppUrl = "http://yourWebAppUrl"
$adminAccount = “DOMAIN\ADMIN"
#Get the Web application
$webApp = get-SPWebApplication $ webAppUrl
Set-SPwebApplication $webApp-AuthenticationProvider (New-SPAuthenticationProvider) -Zone Default
#Re-Get the Web application
$webApp = get-SPWebApplication $webAppUrl
$adminClaim = New-SPClaimsPrincipal -identity $adminAccount -identitytype 1
$adminClaimString = $adminClaim.ToEncodedString()
#Add the admin account to the web application policy
$zp = $webApp.ZonePolicies("Default")
$p = $zp.Add($adminClaimString,“Admin Policy")
$fc=$webApp.PolicyRoles.GetSpecialRole("FullControl")
$p.PolicyRoleBindings.Add($fc)
$webApp.Update()
Create an admin
claim for myself
Let me in after
the migration
#Re-Get the Web application
$webApp = get-SPWebApplication $webAppUrl
#Migrate the web application
$webApp.MigrateUsers($true)
Do the
migration
This script may have been modified from its original
version to fit your screen
$webAppUrl = "http://yourWebAppUrl"
Convert-SPWebApplication -Identity $webAppUrl –To Claims –RetainPermissions $true
This script may have been modified from its original
version to fit your screen
$wa = get-SPWebApplication $WebAppName
$arguments = New-Object
Microsoft.SharePoint.Administration.SPWebApplication+SPMigrateUserParam
eters
$arguments.AddDatabaseToMigrate($webapp.ContentDatabases[0])
$arguments.AddDatabaseToMigrate($webapp.ContentDatabases[1])
$arguments.AddDatabaseToMigrate …
$webapp.MigrateUsers($true, $arguments)
Add different
content DB’s
and run on
each WFE
When it’s
complete, run
this
$wa.ProvisionGlobally()
This script may have been modified from its original
version to fit your screen
WARNING: The conversion of web application and most of the users to Claims mode is
completed. However, one or more users could not be converted to Claims mode. Refer to
the ULS logs for the details. For the troubleshooting tips refer to the
http://go.microsoft.com/fwlink/?LinkID=236943 article.
For Windows and SAML
Claims, this must be
configured for
publishing sites
$PortalSuperReader = “domain\portalsuperreader"
$PortalSuperUser = “domain\portalsuperuser“
$wa = Get-SPWebApplication –Identity “<<web app URL>>“
$PortalSuperUserClaim = New-SPClaimsPrincipal -Identity $PortalSuperUser -IdentityType WindowsSamAccountName
$PortalSuperUserClaim.ToEncodedString()
$wa.Properties["portalsuperuseraccount"] = $PortalSuperUserClaim.ToEncodedString()
$PortalSuperReaderClaim = New-SPClaimsPrincipal -Identity $PortalSuperReader -IdentityType
WindowsSamAccountName
$PortalSuperReaderClaim.ToEncodedString()
$wa.Properties["portalsuperreaderaccount"] = $PortalSuperReaderClaim.ToEncodedString()
#Set the web application policies
$SRpolicy = $wa.Policies.Add($PortalSuperReaderClaim.ToEncodedString(), "PortalSuperReader")
$SRpolicy.PolicyRoleBindings.Add($wa.PolicyRoles.GetSpecialRole("FullRead"))
$SUpolicy = $wa.Policies.Add($PortalSuperUserClaim.ToEncodedString(), "PortalSuperUser")
$SUpolicy.PolicyRoleBindings.Add($wa.PolicyRoles.GetSpecialRole("FullControl"))
#Update the web app
$wa.Update()
#IISReset
iisreset
This script may have been modified from its original
version to fit your screen
// Check the current claims identity and use the UPN claim
if (SPSecurityContext.IsWindowsIdentityAvailable)
{
// Use the c2WTS and get the windows identity
WindowsIdentity wid = SPSecurityContext.Current.WindowsIdentity;
//Create the Impersonation context
using ( WindowsImpersonationContext ctxt = wid.Impersonate() )
{
// Do work here
}
}
HttpContext.Current.Identity; //Old way
SPContext.Current.Web.CurrentUser; //Still works
IClaimsIdentity identity =
(ClaimsIdentity)Thread.CurrentPrincipal.Identity; // New way
/Create the Windows Identity for impersonation
WindowsIdentity windowsIdentity = null;
try
{
IClaimsIdentity identity = (ClaimsIdentity)Thread.CurrentPrincipal.Identity;
string upnFromClaim = null;
foreach (Claim claim in identity.Claims)
{
if (StringComparer.Ordinal.Equals(System.IdentityModel.Claims.ClaimTypes.Upn, claim.ClaimType))
{
//Check the C2WTS Windows Identity
upnFromClaim = claim.Value;
if (windowsIdentity != null)
break;
{
using (WindowsImpersonationContext ctx = windowsIdentity.Impersonate())
}
{
}
//Do work here
windowsIdentity = S4UClient.UpnLogon(UPNForUser);
}
}
}
else
catch (SecurityAccessDeniedException)
{
{}
//Unable to impersonate the user
}
<configuration>
C:\Program Files\Windows Identity Foundation\v3.5\c2wtshost.exe.config
…
<windowsTokenService>
<!-By default no callers are allowed to use the Claims to Windows Token Service.
Add the identities you wish to allow below.
-->
<allowedCallers>
<clear/>
<add value="WSS_WPG" />
<!-- <add value="NT AUTHORITY\Network Service" /> -->
<!-- <add value="NT AUTHORITY\Local Service" /> -->
<!-- <add value="NT AUTHORITY\System" /> -->
<!-- <add value="NT AUTHORITY\Authenticated Users" /> -->
</allowedCallers>
</windowsTokenService>
</configuration>
The C2WTS must
Account must:
c2WTS –
http://msdn.microsoft.com/en-us/library/ee517278
http://msdn.microsoft.com/en-us/library/ee517258
Claims white paper –
http://go.microsoft.com/fwlink/?LinkId=196600
From
To
Method
Prep
Optional
Migrating from Classic to SAML Claims
Do the migration and
pass the custom
assembly reference
This script may have been modified from its original
version to fit your screen
Using …; using Microsoft.SharePoint.Administration.Claims;
public class SAMLMigrationCallback : IMigrateUserCallback
{
public string ConvertFromOldUser(string previousUserAccount, SPWebApplication.AuthenticationMethod previousAuthType, bool isGroup)
{
string newUserId = previousUserAccount;
SPClaim migratedUserClaim = null;
switch (previousAuthType)
{
case SPWebApplication.AuthenticationMethod.Windows:
{
migratedUserClaim = evalClassicToClaimsAccount(previousUserAccount, isGroup);
break;
}
case SPWebApplication.AuthenticationMethod.Claims:
{
migratedUserClaim = evalWindowsClaimToClaimsAccount(previousUserAccount, isGroup);
break;
SPClaim evalClassicToClaimsAccount(string previousUserAccount, bool isGroup)
}
{
case SPWebApplication.AuthenticationMethod.Forms:
SPClaim migratedClaim = null;
{
return migratedClaim;
}
//code for converting from Forms would be here
break;
SPClaim evalWindowsClaimToClaimsAccount(string previousUserAccount, bool isGroup)
}
{
}
SPClaim migratedClaim = null;
newUserId = migratedUserClaim.ToEncodedString();
//migrating from Windows claims to SAML claims
return migratedClaim;
return newUserId ;
}
string previousUserAccount, bool isGroup)
{
SPClaim migratedClaim = null;
SecurityIdentifier curSid = new SecurityIdentifier(previousUserAccount);
//Check the SID and make sure its not a system type SID See http://support.microsoft.com/kb/243330
if (curSid.IsWellKnown(WellKnownSidType.AuthenticatedUserSid) || curSid.IsWellKnown(WellKnownSidType.LocalSystemSid))
{
return migratedClaim;
}
else
{
if (isGroup)
{
string oldNtId = translateSidToName(previousUserAccount);
if (oldNtId != null)
{ //Migrate Groups
Group SIDS
migratedClaim = generateGroupSidClaimFromNtId(previousUserAccount);
vs Names ??
}
}
else
{ migratedClaim = generateUserIdClaimFromNtId(oldNtId); } }
}
return migratedClaim;
string previousUserAccount, bool isGroup)
{
SPClaim migratedClaim = null;
//Migrating from Windows claims to SAML claims - see if the original issuer is from Windows
SPClaim idClaim = _cpm.ConvertIdentifierToClaim(previousUserAccount, SPIdentifierTypes.EncodedClaim);
SPClaim generateSAMLClaimFromNtId(string
//this is a Windows claims user, and we are going to convert to a SAML claims user ID format
winClaimId)
if (SPOriginalIssuers.IsIssuerType(SPOriginalIssuerType.Windows, idClaim.OriginalIssuer))
{
SPClaim migratedClaim = null;
{
//Create the proper SAML ID Claim for
//windows claims users will be in the format domain\user
the old windows claim user
// windows claims groups will be in the SID format
return migratedClaim;
if (idClaim.ClaimType.Equals(SPClaimTypes.UserLogonName))
}
{
SPClaim generateSAMLGroupClaim(string
migratedClaim = generateSAMLClaimFromNtId(idClaim.Value, SourceAccountType.WindowsClaim); groupClaim, bool isGroup)
}
{
SPClaim migratedClaim = null;
else if (idClaim.ClaimType.Equals(Microsoft.IdentityModel.Claims.ClaimTypes.GroupSid))
//Create the proper SAML ID Group
{
claim for the old windows claim group
//Group SID or Group Name???
return migratedClaim;
migratedClaim = generateSAMLGroupClaim(idClaim.Value);
}
}
}
return migratedClaim;
}
From
To
Method
Prep
Optional
(MUST BE INSTALLED IN THE SAME ORDER)
DisplayName
MappedClaimType
Encoded String
Authentication method
http://.../authenticationmethod
c:0ǹ.t|testadfs|authentication method
ASCII Decimal Code 505
E-Mail Address
http://schemas.xmlsoap.org/.../emailaddress
c:05.t|testadfs|e-mail address
Reserved Claim Type
Primary SID
http://schemas.microsoft.com.../primarysid
c:0).t|testadfs|primary sid
Reserved Claim Type
Windows account name
http://.../windowsaccountname
c:0ǻ.t|testadfs|windows account name
ASCII Decimal Code 507
TestADFS
http://schemas.xmlsoap.org/.../emailaddress
ProdADFS
http://.../authenticationmethod
http://schemas.xmlsoap.org/.../emailaddress
http://.../myTESTcustomclaimtype
http://.../authenticationmethod
http://.../myPRODcustomclaimtype
ACL= c:0
ǹ.t|testadfs|mycustomclaimvalue
ǻ
ACL= c:0 .t|prodadfs|mycustomclaimvalue
http://schemas.xmlsoap.org/.../emailaddress
5
http://schemas.microsoft.com.../primarysid
)
testadfs
http://.../myTESTcustomclaimtype
ǹ
prodadfs
http://.../myPRODcustomclaimtype
ǻ
Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue
#Get the claim type encodings that are greater than 500. The rest are OOTB
$claimEncodings = Get-SPClaimTypeEncoding | where {$_.EncodingCharacter -gt 500}
foreach($encoding in $claimEncodings)
{
$encodingInt = [Convert]::ToInt32($encoding.EncodingCharacter)
$encodingChar = $encoding.EncodingCharacter
$encodingClaimType = $encoding.ClaimType
write-host "#The ClaimType of [$encodingClaimType] encodes the char
[$encodingChar] as int [$encodingInt]“
#Generate the correct command to run on the other farm
write-host "New-SPClaimTypeEncoding -EncodingCharacter $encodingChar ClaimType $encodingClaimType"
}
This script may have been modified from its original
version to fit your screen
Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue
$trustedProviderName = "Trusted Provider Name"
#----------write-host "Getting the trusted token issuer: "$trustedProviderName
$trustedProvider = Get-SPTrustedIdentityTokenIssuer | where {$_.Name -eq $trustedProviderName }
if ($trustedProvider -eq $NULL)
{
throw (New-Object System.NullReferenceException) ; Write-Host "The Trusted provider" + $trustedProviderName + " was not
found";
}
write-host "Getting claim types"
$claimTypes = $trustedProvider.ClaimTypeInformation
foreach($claimType in $claimTypes)
{
if (!$claimType.IsIdentityClaim)
{
$dummyClaim = New-SPClaimsPrincipal -ClaimType $claimType.MappedClaimType -ClaimValue $claimType.DisplayName TrustedIdentityTokenIssuer $trustedProvider
write-host "Encoded value for "$claimType.DisplayName "=" $dummyClaim.ToEncodedString()
}
}
write-host "Done"
This script may have been modified from its original
version to fit your screen
Use SharePoint_Config
SELECT id, cast (Properties as XML)
FROM Objects WITH (NOLOCK)
WHERE Name ='ClaimEncodingManager'
<sfld type="Int32" name="33" value="http://OOTBClaimType.../identityprovider" />
<sfld type="Int32" name=“501" value="http://myclaimtype1" />
<sfld type="Int32" name=“505" value=“http://myclaimtype2" />
506</sFld>
<sFld type="Int32" name="m_NextIndex">
Support for changes to the databases that are used by
Office server products and by Windows SharePoint Services
http://support.microsoft.com/kb/841057
Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue
#The ClaimType of [http://.../denyonlyprimarygroupsid] encodes the char [ȅ] as int
[517]
New-SPClaimTypeEncoding -EncodingCharacter ȅ -ClaimType
http://.../denyonlyprimarygroupsid
This script may have been modified from its original
version to fit your screen
Understand the SQL Minimum Requirements for
2013
Clean up SP2010 as much as possible
Create and validate your backups
Test and mount content DB early and often
Know your scenario and test, test, test
Things to Watch Out For
MySPC
http://myspc.sharepointconference.com
'!'
= SPClaimTypes.IdentityProvider
'"' = SPClaimTypes.UserIdentifier
'#' = SPClaimTypes.UserLogonName
'0' = ClaimTypes.AuthorizationDecision '[' = ClaimTypes.PostalCode
'1' = ClaimTypes.Country
'2' = ClaimTypes.DateOfBirth
'$' = SPClaimTypes.DistributionListClaimType
'3'
'%' = SPClaimTypes.FarmId
'4'
"http://schemas.microsoft.com/sharepoint/2009/08
'&' = /claims/processidentitysid"
'5'
"http://schemas.microsoft.com/sharepoint/2009/08
'\'' = /claims/processidentitylogonname"
'6'
'(' = SPClaimTypes.IsAuthenticated
'7'
"http://schemas.microsoft.com/ws/2008/06/identit
')' = y/claims/primarysid"
'8'
"http://schemas.microsoft.com/ws/2008/06/identit
'*' = y/claims/primarygroupsid"
'9'
"http://schemas.microsoft.com/ws/2008/06/identit
'+' = y/claims/groupsid"
'<'
"http://schemas.microsoft.com/ws/2008/06/identit
'-' = y/claims/role"
'='
'.' = ClaimTypes.Anonymous
'>'
'/'
= ClaimTypes.Authentication
'\\' = ClaimTypes.PPID
']' = ClaimTypes.Rsa
= ClaimTypes.DenyOnlySid
= ClaimTypes.Dns
'^' = ClaimTypes.Sid
'_' = ClaimTypes.Spn
= ClaimTypes.Email
'`' = ClaimTypes.StateOrProvince
= ClaimTypes.Gender
= ClaimTypes.GivenName
'a' = ClaimTypes.StreetAddress
'b' = ClaimTypes.Surname
= ClaimTypes.Hash
'c' = ClaimTypes.System
= ClaimTypes.HomePhone
'd' = ClaimTypes.Thumbprint
= ClaimTypes.Locality
'e' = ClaimTypes.Upn
= ClaimTypes.MobilePhone
= ClaimTypes.Name
'f' = ClaimTypes.Uri
'g' = ClaimTypes.Webpage
'?' = ClaimTypes.NameIdentifier
'@' = ClaimTypes.OtherPhone
'h' = SPClaimTypes.ProviderUserKey
ClaimType :
Value:
Value Type:
OriginalIssuer:
http://schemas.microsoft.com/sharepoint/2009/08/claims/userlogonname
domain\saMAccountName
http://www.w3.org/2001/XMLSchema#String
Windows
i:0#.w|domain\sAMAccountName
1: “I” for
identity claim
(user unique
identifier)
3: Reserved as 0
(to enable more
claim types in
the future)
4: Claim Type
encoded value
(#=User Logon
Name)
6: AuthMode
W=Windows
Claim value
ClaimType :
Value:
Value Type:
OriginalIssuer:
http://sharepoint.microsoft.com/claims/2009/08/isauthenticated
true
http://www.w3.org/2001/XMLSchema#String
SecurityTokenService
c:0(.s|true
1: C for Claim
6: AuthMode
Claim
value (‘(‘
3:4:Reserved
as encoded
0
Claim Type
value
S=SharePoint STS
(to
enable
more
= IsAuthenticated)
claim types in
the future)
ClaimType :
Value:
Value Type:
OriginalIssuer:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn
[email protected]
http://www.w3.org/2001/XMLSchema#String
TrustedProvider:fedpartner
i:0e.t|fedpartner|[email protected]
1: “I” for
identity claim
(user unique
identifier)
3: Reserved as 0
(to enable more
claim types in
the future)
4: Claim Type
encoded value
(e=UPN)
6: AuthMode
Claim value
Original
Issuer name: Name of
Type
membership
role provider, name of
T=Trusted
trusted
STS
ClaimType :
Value:
Value Type:
OriginalIssuer:
http://myschema.com/claims/2009/09/usertype
TrustedPartner
http://www.w3.org/2001/XMLSchema#String
TrustedProvider:fedpartner
C:0ń.t|fedpartner|TrustedPartner
C for Claim3: Reserved as 0
(to enable more
claim types in
the future)
Original
4: Claim
Issuer
Type
name:
encoded
Name
6: Issuer
of Type Claim value
membership
value (“Next”
role provider,
ASCII T=Trusted
name of
trusted
Char)
STS