Migrating SharePoint Forms Based Authentication Accounts

I had wondered if the MigrateUser API and STSADM -o migrateuser operation would work with Forms Based Auth accounts in WSSv3, and just validated that it does Whoo Hoo!

For those of you unfamiliar with this addition to WSS, see the previous KB on this addition to WSSv2.  It’s what I used from SPUserUtil back in the day to migrate accounts.   In fact, there is a call out to it in the overview of the SharePoint Products and Technologies 2003 Software Development Kit.   One of my fortunate claims to fame 🙂 But remember the disclaimer that they even have noted there:

Disclaimer: SharePoint Utility Suite provides a packaged collection of tools and utilities that demonstrate the rich object model that is delivered with the SharePoint Products and Technologies 2003 SDK (which includes documentation for Windows SharePoint Services 2.0 and SharePoint Portal Server 2003). This package includes code and tool examples that SharePoint developers and SharePoint administrators might find useful; however, the samples in the SharePoint Utility Suite are provided as is and are not supported.

 

Regardless, in WSSv2, it was an API extension to SPGlobalAdmin, but in WSSv3, it’s a method of the SPFarm object and of course it’s still exposed via STSADM.

When using it for a non Windows account, you have to specify the -ignoresidhistory flag for STSADM, or specify false for the enforceSidHistory argment to SPFarm.MigrateUserAccount(), but it works great.

For example:

stsadm -o migrateuser -oldlogin “fbaaspnetsqlmembershipprovider:fbauser2″ -newlogin”fbaaspnetsqlmembershipprovider:fbauser3” -ignoresidhistory

This will migrate my FBAUser2 account to FBAUser3 for the fbaaspnetsqlmembershipprovider I have setup.

Keep in mind, just as in V2, this does NOT update the Display Name nor the Email address for the account, and is something you’ll have to do post migration.

HTH

 – Keith Richie

7 Replies to “Migrating SharePoint Forms Based Authentication Accounts”

  1. Hi Keith – I’ve found that after running stsadm -o migrateuser in order to update user login info, users are no longer able to log in using their UPN credentials. the only login that works is DOMAIN\SamAccountName.

    Ever seen anything like that? I’ve been pulling my hair out trying to find a workaround.
    -Vlad

  2. I believe that is because the users email field is not updated, thus why you can’t log in with UPN.
    MigrateUser does not update the users email field. You will additionally need to update it.

  3. Hello,
    I tried to …-migrateuser… The domain login name was updated, but not the username and e-mail. Strange is that I even updated it directly in the database (UserInfo table), but there still remain the original values! We are using MOSS.
    The question is, HOW can I update the user information otherwise?
    Thanks!
    Ravie.

  4. Ravie, directly editing the tables is NOT supported by Microsoft, and I recommend highly against doing it as you could introduce instability in content databases.
    MigrateUser (As I noted above) only updates the SID/Login Name of the account to the target account. The other data, has to be done seperately for “Each” site collection the user is in.

    You can go to the “All Users” page for the site collection and manually update it on the users information page, or custom code your own solution using the SharePoint object model.

    For V2, I had a Account Synch feature in SPUserUtil for this, but do not have one freely available for V3. I’m working on an account synch feature in DeliverPoint, but have no details on when that may be available.

  5. Keith,

    I applied this command to migrate a Domain user account to FBA account, becase I switched the authentication from windows to FBA. It worked well but I am really not aware of kind of problems I may face in future. Do you know does it causes any problems related to security or any other stuff?

  6. Pingback: SharePoint Buzz

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s