I had setup a test environment to test out and play with the new hosting functionality of SharePoint, also called multi-tenancy.  When you create your main web application that will be used to house the tenants, you have the option to have it use Claims Based or Classic Mode authentication. 

Well I had chosen Classic mode, and went on my merry way.  It wasn’t long before I ran into problems.  The major issue I was having was that search was failing to crawl the tenant sites with access denied.  If I configured the default access account to use an account that was a site collection admin, things would crawl.  I had checked all the bases, but nothing would work.  The main aspect of multi-tenancy is that each tenant site subscription is configured to look at a single OU in Active Directory ONLY.  Since the crawl account couldn’t be in each tenant’s OU, that’s a problem.  But, this is just supposed to work!?

It turns out that the problem was with the authentication.  After converting the existing web application to Claims based authentication, my standard default search account was able to successfully crawl my tenants, and I could finally get some search goodness.  Big thanks to Maxime’s article on this on MSDN. 

Maxime also pointed to Steve Peschka’s article on how to convert a webapp to claims from classic.  It works great, and are the correct steps.  Don’t be fooled by imitators!