If you’re doing a SharePoint 2007 to 2010 upgrade, one thing you’ll have to do is create one or more web applications in the 2010 farm for hosting the site collections you migrate.

One thing I’ve noticed in reading blog posts and online “guides” about the upgrade process is that many of them neglect to mention authentication. The authentication choices (for a web application) have changed in 2010, and that needs to be taken into account or you could encounter some post-upgrade weirdness.

For example, when creating a web app in 2010 for a site that used Windows authentication in 2007, it might be tempting to select “Claims-based authentication” in 2010 for the web app. After all, that mode still supports Windows accounts, and it leaves open the possibility of using forms-based authentication later if you wish.

But here’s the rub: Claims-based authentication represents accounts (even Windows accounts) as claims identities, which is different from how SharePoint 2007 stored accounts. The result is if you try what I suggested above and don’t “migrate” your old accounts to claims identities (an extra step in the upgrade process), your site permissions may look correct at first glance after the upgrade, but you’ll run into all kinds of issues when users try to access the site. Also, when trying to add new users/groups to the site, the people picker may not work properly, and you may see weird symbols (like ‘#’) in the account names.

So I recommend you check out Microsoft’s page on planning SharePoint authentication before doing your upgrade. It includes a nice matrix about upgrading SharePoint 2007 authentication modes to the modes available in 2010.