User profile pictures not accessible in sharepoint in claims/ADFS

When you onboard sharepoint in claims/ADFS mode, you start facing a lot of new challenges you weren't at all aware when everything was running on NTLM.

One surprise we discovered was that the user profile pictures (stored on the mysite host) were not recheable anymore by FIM (Forefront Identy Manager) because User Profile Application Service can't authenticate through claims. Hopefully, for search reason, our web application was set on NTLM & claims provider. But ... FIM was using first claims over NTLM breaking the retrieval of pictures and get an HTTP 403 error.

FIMSynchronizationService The remote server returned an error: (403) Forbidden

confirmed by FIM UIshell

Some interesting blogs 1 suggested to extend the web application in order to force it using use NTLM, in our case we weren't fan of extending mysite web application, which would add extra monitoring action & complexity over our sharepoint farm & IIS (it creates a new IIS site), and all our site were already NTLM + claims for search crawler purpose.

All our webfront ends & backend servers with IIS had already

  • SSL certificates
  • https bindings setup (always for search crawling purpose)
  • host file references that loop on the same server

we simply disabled the form authentication on the mysite IIS site in order to force IIS to accept gently NTLM

Few assumptions

  • our search crawlers aren't running on this backend server, this could be an impact if it's the case
  • we don't expect this change really supported by Microsoft as we are desynchronizing internal Sharepoint configuration with reality on one servers
  • we seen, and weren't able to find the rootcause, that our change get overriden at one point, but it's so far acceptable

At your own risks :)

Fabien Camous

Read more posts by this author.