When you onboard sharepoint in claims/ADFS mode, you start facing a lot of new challenges you weren't at all aware when everything was running on NTLM.
One surprise we discovered was that the user profile pictures (stored on the mysite host) were not recheable anymore by FIM (Forefront Identy Manager) because User Profile Application Service can't authenticate through claims. Hopefully, for search reason, our web application was set on NTLM & claims provider. But ... FIM was using first claims over NTLM breaking the retrieval of pictures and get an HTTP 403 error.
FIMSynchronizationService
System.net.WebException: The remote server returned an error: (403) Forbidden
confirmed by FIM UIshell
Some interesting blogs 1 suggested to extend the web application in order to force it using use NTLM, in our case we weren't fan of extending mysite web application, which would add extra monitoring action & complexity over our sharepoint farm & IIS (it creates a new IIS site), and all our site were already NTLM + claims for search crawler purpose.
All our webfront ends & backend servers with IIS had already
- SSL certificates
- https bindings setup (always for search crawling purpose)
- host file references that mysite.blabla.com loop on the same server
we simply disabled the form authentication on the mysite IIS site in order to force IIS to accept gently NTLM
Few assumptions
- our search crawlers aren't running on this backend server, this could be an impact if it's the case
- we don't expect this change really supported by Microsoft as we are desynchronizing internal Sharepoint configuration with reality on one servers
- we seen, and weren't able to find the rootcause, that our change get overriden at one point, but it's so far acceptable
At your own risks :)