Access Denied Error After Migrating from SharePoint 2010 to SharePoint 2013

Problem: After migrating from SharePoint 2010 to SharePoint 2013 using the database attach method, all users received an “access denied” error, and they were unable to login. Confirmed both the source and destination SharePoint farms are in the same Active Directory domain.

Root cause:

This is because, by default SharePoint 2013 web applications are created with claims authentication. So, existing classic mode accounts (domain\UserName) are not recognized by the claims mode (i:0#.w|domain\username) web application.

Tips: You can verify if your SharePoint 2013 is using claims mode by using: 
(Get-SPWebApplication “<Web App URL”).UseClaimsAuthentication

Solution:

After some trial and error, found granting permission again to the users resolves the problem. However, it’s impossible to provide access to all users wherever they have had permissions again manually, isn’t it?

Well, the right solution is: Convert the authentication method from classic-mode to claims-based authentication of the new SharePoint 2013 Web Application! Converting from Classic mode to Claims-based authentication is done in two steps:

Step 1: Set the authentication method of the web application to claims

$WebApp = Get-SPWebApplication -identity https://Your-webapp-url 
$WebApp.UseClaimsAuthentication = $true 
$WebApp.Update()

Alternatively, You can convert web application authentication:

Convert-SPWebApplication -Identity $WebApp -To Claims -RetainPermissions -Verbose

Step 2: Migrate users from classic mode to claims

$WebApp = Get-SPWebApplication -identity https://Your-webapp-url 
$WebApp.MigrateUsers($true) 
$WebApp.ProvisionGlobally() 

This converts all user accounts to claims format. Do an IISReset, and all should be OK now!

How about the web application policies and Object Cache Accounts?

Don’t forget to re-add users granted permission via web application user policies. Here is how to Configuring Web Application User Policy in SharePoint 2013 / 2016. Often, This applies to SPSuperUser and SPSuperReader accounts! Follow this article to grant permission to SharePoint 2013 cache accounts: Configure SharePoint 2013 Object Cache Super User, Super Reader Accounts.

Your new master page could be a culprit in some cases. Try changing to the default master page once. In another case, I ended up adding “NT AUTHORITY\authenticated users” with read access at the web application policy. This TechNet article describes in detail converting classic mode authentication to claims: https://technet.microsoft.com/en-us/library/gg251985.aspx

Salaudeen Rajack

Salaudeen Rajack - Information Technology Expert with Two-decades of hands-on experience, specializing in SharePoint, PowerShell, Microsoft 365, and related products. He has held various positions including SharePoint Architect, Administrator, Developer and consultant, has helped many organizations to implement and optimize SharePoint solutions. Known for his deep technical expertise, He's passionate about sharing the knowledge and insights to help others, through the real-world articles!

2 thoughts on “Access Denied Error After Migrating from SharePoint 2010 to SharePoint 2013

  • I was having this issue and this fixed it, thanks for the article.
    I had to run the commands in an elevated prompt and had to do an IISReset after the $WebApp.MigrateUsers($true) command as I had a locked file.

    Reply
    • I had also this issue. Tried every thing but nothing worked for me. Finally I came to ur blog and tried NT AUTHORITY\authenticated users this worked for me. Thank you so much j was in this issue for weeks this saved me.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *