Our farm is set up so that internally our web applications use http with NTLM, mainly for the search crawler.
Externally, http isn't allowed into the environment, everyone has to connect through https. They also authenticate using smart cards via a trusted identity provider.
Our client is ancient...they were still using IE 8, so I noticed that everytime they made a call to userdisp.aspx via javascript to populate some fields for a form, I'd get a pop up saying that I was trying to access insecure content. I did some drilling down, and it turned out that the picture being displayed through userdisp.aspx was being accessed by http (the URL displayed is http://mysiteurl:80/User Photos/Profile Pictures/[mysite identifier]_MThumb.jpg?t=[picture timestamp])
In IE 10 this isn't quite as big a deal, at least to us, because we're currently not trying to pull the picture through ajax for anything and IE 10 doesn't pop up that insecure error anymore.
I've duplicated this issue in another environment where the authentication was all NTLM. I've set the https for mysites to be the default AAM, as well as the default portal URL to be https. I've tried setting the mysite url in our UPS to be https. Nothing I've done has been able to get the userdisp.aspx page to display the picture using https.
From looking at the userdisp.aspx page in the hive, it looks like it's pulling the data from the UPS and displaying it programmatically (you don't see what exactly is being pulled, it looks like it just enumerates it and dumps what it finds). However, when I go in to the UPS via powershell to see what is set for my picture, it comes up as https. It's almost as though it's actively replacing what's in the profile with http.
Has anyone else run into this before? Is there a configuration I've missed somewhere?
No comments:
Post a Comment