Skip Ribbon Commands
Skip to main content

Quick Launch

Todd Klindt's home page > Todd Klindt's Office 365 Admin Blog > Posts > How to create a Claims Web Application with PowerShell in SharePoint 2013 (and 2010)
August 03
How to create a Claims Web Application with PowerShell in SharePoint 2013 (and 2010)

This blog post was written about the Preview of SharePoint 2013. This behavior may be different in the RTM version of the product.

It’s been a tough pill to swallow, but like my friend Wictor Wilen put it, Claims is the new black. Keeping that in mind, I’ve decided to embrace Claims and pretend like I’ve liked it all along. I put my newfound love of Claims to the test this week when I was building out a shiny new SharePoint 2013 farm. Since I’ll be doing this a lot I decided that I should use my BFF PowerShell to script as much as I could. This included creating my Web Applications.

Wictor’s blog post covers it, but let me recap. In SharePoint 2013 the default authentication provider is Claims. If you create a Web Application in Central Administration you don’t get the option for Claims or Classic like you did in SharePoint 2010. It’s just Claims. If for some reason you do need a Classic Web Application, you can create it in PowerShell with the New-SPWebApplication cmdlet. However, since Claims and I go way back, I wanted to create a Claims web application. Turns out that’s harder to do than I thought it would be. In my head one of the switches of New-SPWebApplication would let me specify that I wanted the fancy new Claims, but alas that was not the case. I also thought that since Claims was the default if I just didn’t specify anything that I’d get a Claims Web Application. I was wrong. That’s twice in one day! I did however get something that I thought would help:

8-2-2012 5.08.13 PM

This gives me a stern talking to and tells me that Classic is deprecated and that I should use Claims. Buddy, I’m already on board! It does give me hope though, it points me to a URL. Of course, quick like a bunny, I pasted that URL into the nearest web browser I could find. Unfortunately that page is just the MSDN documentation for New-SPWebApplication. Like the message above says, it mentions you have to specify an AuthenticationProvider parameter, but it doesn’t tell you which parameter. Curses, foiled again! Back to the drawing board.

I did some furious Binging and found out the part I needed. Before I call New-SPWebApplication I need to create a SPAuthenticationProvider object to pass it. If I play my cards right, that object will tell SharePoint to hook me up with that gooey Claimsy goodness. The PowerShell looks like this:

Office-PC 8-3-2012 11.11.46 AM

Here it is in text for your copying and pasting pleasure.


$ap = New-SPAuthenticationProvider -UseWindowsIntegratedAuthentication -DisableKerberos
New-SPWebApplication -Name "Shane Stinks" -ApplicationPool "Default SharePoint Web Apps" -HostHeader -Port 80 -Url -AuthenticationMethod NTLM -AuthenticationProvider $ap -DatabaseName "WSS_Content_ShaneStinks"

Notice a few things about this. First, creating a new Web Application is now more steps. We have to create the SPAuthenticationProvider object, then we pass that to New-SPWebApplication. New-SPAuthenticationProvider has a few switches, so be sure to do a help New-SPAuthenticationProvider before you use it, so you use the right switches. Second, you’ll notice that even though I’m creating a Claims aware Web Application I still get yelled at about it. Is it never enough for you New-SPWebApplication?? If you doubt yourself you can use this PowerShell to verify your new Web Application is really down with Claims:

Office-PC 8-3-2012 11.13.40 AM

Get-SPWebApplication | select displayname, url, UseClaimsAuthentication

You can also verify this in Central Admin. Since we didn’t specify any Claims Providers this will give us the plain Jane Windows Authentication. If you want to create a Web Application that uses a different Claims Provider the steps are different. Fortunately there are a lot of blog posts that cover that, so you’re in good shape.




Shane Stinks

 on 8/3/2012 11:52 AM

Re: Shane Stinks

My goodness, how did THAT get in there?

Todd O. KlindtNo presence information on 8/3/2012 9:08 PM

Argh with the yelling and judging...

Hey there,

'Am writing about migration and had to make some web applications in PowerShell on SharePoint 2013. Found out if you don't put in the authenticationmethod parameter, it doesn't yell at you about classic mode, and it still uses NTLM by default.

It's less precise, I mean I didn't *tell it explicitly* to use NTLM, but now I can make claim web applications without all that screamy yellow text lecturing me.

Thought I'd share.
 on 2/4/2013 12:07 PM

Re: Argh with the yelling and judging...

I'm glad I'm not the only one that can tell that SharePoint is judging me.

Todd O. KlindtNo presence information on 2/5/2013 2:18 PM

Migrate useres to claims

I am moving site collections one by one form classic web app (http://clasaicwebapp to claims based web app http://claimswebapp using backup-spsite and restore-spsite. After every restore I execute the following powershell commands:
$wa = get-spwebapplication http://claimswebapp
All users are upgraded successfully.
My question is, since I am doing one site collection at the time what is the harm from executing $wa.migrateusers($true) multiple times on http://claimswebapp where existing users were already migrated.

Thank You
Abraham Elhayek
 on 6/6/2014 4:42 PM

Re: Migrate useres to claims

You should be fine, Abraham. That PowerShell you're running is essentially doing a "find with replace." Since the users that are already migrated to Claims don't match the Classic "Find" part they aren't altered. If you're curious, you can, IN A TEST ENVIRONMENT, look at the UserInfo table of your Content Database before and after you run the command to see how it changes. IN A TEST ENVIRONMENT. :)

Todd O. KlindtNo presence information on 6/8/2014 7:00 PM

RE Migrate Users to claims

I have a test 2013 environment and wanting to convert to claims.
When I run the $wa.migrateusers command i'm unsure as to what it will do to those users who are still on our production 2010 farm, ie same users on 2010 as on 2013.
Does it effect only the user accounts applied to the 2013 content db?
Our 2013 environment is test so i'm happy to trail but just want confirmation before I go ahead.

 on 2/22/2015 7:53 PM

Re: How to create a Claims Web Application with PowerShell in SharePoint 2013 (and 2010)

 on 10/1/2015 1:19 PM

Add Comment

Items on this list require content approval. Your submission will not appear in public views until approved by someone with proper rights. More information on content approval.


Body *

Today's date *

Select a date from the calendar.
Please enter today's date so I know you are a real person


Want a message when I reply to your comment? Put your Twitter handle here.