I’ve been migrating classic mode SharePoint 2010 sites to claims sites for a while now, so much that I even have a script to do it for me. However, for some reason I have never come across the problem I encountered today. The documentation on converting a classic mode web application to a claims based application I though was pretty solid on technet. Today I came across a strange issue where the site collection administrator was getting access denied in odd locations… or locations I thought were odd because SharePoint hadn’t security trimmed the links as I thought it would if access really was denied.

This one annoyed me for longer than I wish to share… If you are having problems using Windows Authentication on IIS (in particular with the ADFS 2.0 passive federation) where you can login fine with Internet Explorer but Google Chrome simply repeats asking for your login and password then this is for you! IIS has a new feature called “Extended Protection” for Windows Authentication. The appears to have an affect on Chrome but not IE, therefore to disable it do the following: