Thursday, April 16, 2015

Setting Object Cache Accounts in SharePoint 2010

Background
I frequently create web applications in my SharePoint 2010 environment that use Windows claims authentication.  When you specify the authentication to use claims, an important step is to set the Portal Super User and Portal Super Reader accounts so that the object cache can be read. 
The TechNet documentation on settingobject cache accounts explains why to set these accounts, but many people don’t remember to set them until they see errors in the event log
To set these, you go to the User Policy button in the ribbon in Central Administration, add the Portal Super User account with Full Control, and add the Portal Super Reader account with Full Read permission.  Then you go to PowerShell and set the web application property.  I like telling my customers to use this method because it’s easy to copy the claims user name from the UI and paste it into PowerShell.
Ali Mazaheri points out that this is a very important step when upgrading from SharePoint 2007 to SharePoint 2010 as you can get Access Denied errors after upgradingif you don’t set object cache accounts, even for the site collection administrator. 

Implementation
Here is a quick bit of PowerShell script to make things a little easier.  Instead of having to go manually set the Full Read and Full Control permissions using the web UI, I do everything in one shot.

foreach ($wa in Get-SPWebApplication)
{

    if($wa.UseClaimsAuthentication)
    {
        $superUser = "i:0#.w|sharepoint\sp_superuser"
        $superReader = "i:0#.w|sharepoint\sp_superreader"
        $fullPolicy = $wa.Policies.Add($superUser, $superUser)
        $fullPolicy.PolicyRoleBindings.Add($wa.PolicyRoles.GetSpecialRole
([Microsoft.SharePoint.Administration.SPPolicyRoleType]::FullControl))
        $readPolicy = $wa.Policies.Add($superReader, $superReader)
        $readPolicy.PolicyRoleBindings.Add($wa.PolicyRoles.GetSpecialRole
([Microsoft.SharePoint.Administration.SPPolicyRoleType]::FullRead))
        $wa.Properties["portalsuperuseraccount"] = $superUser;
        $wa.Properties["portalsuperreaderaccount"] = $superReader;

        $wa.Update()
    }
}

This should save you quite a bit of time and make the process much less error prone.  After writing this, I noticed that Chris O’Brien wrote a similar script back in 2010, and I’d bet if I did more searches I would find similar scripts.  Got an approach that works for you?  Please share in the comments!


Posted by at

1 comment:

  1. UnknownApril 17, 2015 at 7:02 AM

    Wonderful post however I was wondering if you could write a little more on this topic? I’d be very thankful if you could elaborate a little bit further. Thank you!

    SharePoint 2013 Developer Training

    ReplyDelete

Subscribe to: Post Comments (Atom)