Greetings all! I hope everyone has had an enjoyable week!
I upgraded my server farm from SP2007 to SP2010. After the upgrade, I converted the web application that houses all of my site collections from Classic Mode to Claims Based authentication. I then went into the Authentication Providers for this web application and turned on Forms Based Authentication. After that, I modified the web.config file for Central Administration (on server with CA), the Web Application housing my sites (on the Web Front End), and STS (on the Web Front End). I then ran another three line script in Powershell that I found online to bring over our old database of FBA accounts (from a different server farm, our "production" database).
The problem that I've run into, is that AS SOON AS we ran the script to use Claims authentication on the web application, whenever we added user accounts to a group (for instance, the Change Site Collection Administrators link in Central Admin > Application Management), it added some odd characters in front of the account name.
Here is what I ran to enable CBA on the Web App:
$w = Get-SPWebApplication "https://SPPortal.com/"
$w.UseClaimsAuthentication = 1
Now, after running that set of commands in a PowerShell script, all of my accounts that we added to the sites had these characters tacked in front of them:
[i]i:0#.w|domain\SpAdmin ; [/i]
Is the "i:0#.w|" a side effect of enabling CBA?
After running the above script, I modified the three web.config files, and then saw that FBA was working (it would ask to log in with Windows Authentication or Forms Authentication). So then, I ran the following script to migrate my old FBA accounts into this setup of FBA:
Now, since the accounts had that funny lettering in front of them, I figured that I needed to remove and then add all my user accounts back to their respective sites again, because "domain\SPAdmin" (my admin account) could not edit a page, yet when I removed him and typed in "i:0#.w|domain\SPAdmin" through Powershell to add it as the Owner of a site collection, it worked fine and I had all the permissions that I needed.
However, when i came in this morning to start my work day, I noticed that on every site that had people on it, I get this error on the text box that you type in user accounts with (near the People Picker and the checkbox that resolves account names (ie - "domain\spadmin" turns into "Share Point Admin
This page contains one or more errors. Fix the following before continuing:
•No exact match was found. Click the item(s) that did not resolve for more options.
So, even when I click the little "Browse" icon to open the People Picker (the little phonebook next to the textbox), and search for an account (which comes up, so it finds it), and then add it and click "OK"...if I go back into the group to add someone, it lists the little error above about not finding a match for the site.
I have only seen this when trying to add an account to the Site Collection Administrators group through Central Administration, but I'm going to assume that it's everywhere else. And without this account in there, I cannot manage my site collections.
I can click the name itself, and select what it resolves to, or choose "more names", but either way the same thing always happens.
Can anyone help?