Access Denied Error After Migrating from SharePoint 2010 to SharePoint 2013

Problem: After migrating from SharePoint 2010 to SharePoint 2013 using database attach method, all users received “access denied” error and they were unable to login. Made sure, both the source and destination SharePoint farms are in same Active Directory domain.

Root cause:

This is because by default SharePoint 2013 web applications are created with claims authentication. So existing classic mode accounts (domain\UserName) are not recognized by the claims mode (i:0#.w|domain\username) web application.

Tips: You can verify if your SharePoint 2013 is using claims mode by using: 
(Get-SPWebApplication “<Web App URL”).UseClaimsAuthentication


After some trial and error, found granting permission again to the users resolves the problem. However, it’s impossible to provide access to all users to wherever they have had permissions again manually, isn’t it?

Well, the right solution is: Convert the authentication method from classic-mode to claims-based authentication of the new SharePoint 2013 Web Application!  Converting from Classic mode to Claims-based authentication is done in two steps:

Step 1: Set the authentication method of the web application to claims

$WebApp = Get-SPWebApplication -identity http://Your-webapp-url 
$WebApp.UseClaimsAuthentication = $true 

Alternatively, You can convert web application authentication:

Convert-SPWebApplication -Identity $WebApp -To Claims -RetainPermissions -Verbose

Step 2: Migrate users from classic mode to claims

$WebApp = Get-SPWebApplication -identity http://Your-webapp-url 

This converts all user accounts to claims format. Do an IISReset, and all should be OK now!

How about the web application policies and Object Cache Accounts?

Don’t forget to re-add users granted permission via web application user policies. Here is how to Configuring Web Application User Policy in SharePoint 2013 / 2016. Often, This applies to SPSuperUser and SPSuperReader accounts! Follow this article to grant permission to SharePoint 2013 cache accounts: Configure SharePoint 2013 Object Cache Super User, Super Reader Accounts.

Your new master page could be a culprit in some cases. Try changing to the default master page once. In another case, I ended up adding “NT AUTHORITY\authenticated users” with read access at web application policy. This TechNet article describes in detail on converting classic mode authentication to claims:

Salaudeen Rajack

Salaudeen Rajack is a SharePoint Architect with Two decades of SharePoint Experience. He loves sharing his knowledge and experiences with the SharePoint community, through his real-world articles!

One thought on “Access Denied Error After Migrating from SharePoint 2010 to SharePoint 2013

  • August 25, 2021 at 2:13 PM

    I was having this issue and this fixed it, thanks for the article.
    I had to run the commands in an elevated prompt and had to do an IISReset after the $WebApp.MigrateUsers($true) command as I had a locked file.


Leave a Reply