The change from integrated security to a Claims Based is basically this: In Claims Based mode, the SharePoint site no longer handles verifying Identities; that is handled through the new Security Token Service (STS). Previously a user's integrated FBA Identity was something like "FBAMembership:EtherDragon" now, in 2010, the STS hands over my Identity with something like "i:0#.f|FBAMembership|EtherDragon" and, as far as 2010 is concerned, that is a different user.
The fix was to write a quick Web Part for 2010 that replaces all FBA user Identities in all groups with the correct STS one.
Here's some code:
SPWeb oWeb = SPContext.Current.Web;
foreach (SPGroup myGroup in oWeb.Groups)
string wrongFormat = "fbamembership:";
SPUserCollection myUsers = myGroup.Users;
foreach (SPUser userCandidate in myUsers)
if (userCandidate.LoginName.Length >= wrongFormat.Length)
if (userCandidate.LoginName.Substring(0, wrongFormat.Length) == wrongFormat)
foreach (SPUser myUser in usersToDelete)
string loginName = "i:0#.f|fbamembership|
" + myUser.LoginName.Substring(wrongFormat.Length);
string eMail = myUser.Email;
string name = myUser.Name;
string notes = myUser.Notes;
myGroup.AddUser(loginName, eMail, name, notes);
Without this little code block, we would have had to go through about 2000 user entries in various groups to remove and replace the users through the SharePoint UI.