Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
As you can see from my 2 previous posts (UPS, host-name site collections and search), I've been toying with Multi-tenancy on SharePoint 2010 and trying out different options. If you don't know about multi-tenancy in SharePoint 2010, go read Spencer Harbar's series here: https://www.harbar.net/archive/2010/09/14/rational-guide-to-multi-tenancy-with-sharepoint-2010-part-six.aspx.
While adding tenants, if you are logged as a Farm Administrator (that has all the necessary permissions), I would get an error on the New-SPSite command for the member site! Looking at the ULS logs, I could see an Access Denied exception in the TaxonomyFieldAdded feature receiver. I looked at the MMSA & UPA permissions in all shapes and forms and couldn't figure out what was the problem. The only way I could add a tenant was using the Farm account ==> which is really bad. As it turns out, while working on the search crawl issue (previous post), I switched my classic authentication web application to Claims-Based authentication and it also fixed this problem.
So the rational of this, and it was a recommendation to begin with (but hey, I had the option so I tried classic authentication anyway :)), use Claims-Based Authentication for Multi-Tenancy in SharePoint. While you can make it work with classic authentication, it will require a dedicated search crawl account + crawl rule per tenant, and it will require you to add tenants with the Farm account, which isn't recommended.
Note: if you do a single farm, you can have classic mode authentication working fine for at least the web application user policies.
Happy tenancy!