Problem: After migrating from SharePoint 2010 to SharePoint 2013 using the database attach method, all users received an “access denied” error, and they were unable to login. Confirmed both the source and destination SharePoint farms are in the same Active Directory domain.
This is because, by default SharePoint 2013 web applications are created with claims authentication. So, existing classic mode accounts (domain\UserName) are not recognized by the claims mode (i:0#.w|domain\username) web application.
(Get-SPWebApplication “<Web App URL”).UseClaimsAuthentication
After some trial and error, found granting permission again to the users resolves the problem. However, it’s impossible to provide access to all users wherever they have had permissions again manually, isn’t it?
Well, the right solution is: Convert the authentication method from classic-mode to claims-based authentication of the new SharePoint 2013 Web Application! Converting from Classic mode to Claims-based authentication is done in two steps:
Step 1: Set the authentication method of the web application to claims
$WebApp = Get-SPWebApplication -identity https://Your-webapp-url $WebApp.UseClaimsAuthentication = $true $WebApp.Update()
Alternatively, You can convert web application authentication:
Convert-SPWebApplication -Identity $WebApp -To Claims -RetainPermissions -Verbose
Step 2: Migrate users from classic mode to claims
$WebApp = Get-SPWebApplication -identity https://Your-webapp-url $WebApp.MigrateUsers($true) $WebApp.ProvisionGlobally()
This converts all user accounts to claims format. Do an IISReset, and all should be OK now!
How about the web application policies and Object Cache Accounts?
Don’t forget to re-add users granted permission via web application user policies. Here is how to Configuring Web Application User Policy in SharePoint 2013 / 2016. Often, This applies to SPSuperUser and SPSuperReader accounts! Follow this article to grant permission to SharePoint 2013 cache accounts: Configure SharePoint 2013 Object Cache Super User, Super Reader Accounts.
Your new master page could be a culprit in some cases. Try changing to the default master page once. In another case, I ended up adding “NT AUTHORITY\authenticated users” with read access at the web application policy. This TechNet article describes in detail converting classic mode authentication to claims: https://technet.microsoft.com/en-us/library/gg251985.aspx