SharePoint 2013: Enabling cross domain profile pictures

Tags: SharePoint 2013

Just discovered a really interesting and just awesome nugget in SharePoint 2013 that solves a problem that have been annoying me for a long time. The problem manifests itself when you’re having multiple URL’s for your SharePoint farm or when using SAML or Forms based login (like in Office 365 and SharePoint Online) and you’re using the profile pictures on sites not residing on the My Site Host Web Application (or host named site collection). Then the user profile picture is not shown, you get the default image not found image or you’re prompted to authenticate with the My Site Host.

Let’s take an example. Assume I have one site at intranet.contoso.com and the My Site host exists on mysite.contoso.com. I have not configured any Internet Explorer zones or anything and I’m promted to log in at each location. This is how the Newsfeed Web Part will look like on intranet.contoso.com, if I cancel out the authentication prompt or if I’m using some forms based login:
No picture...

You see, no fancy picture of Mr administrator! There’s a couple of ways to solve this using IE Zones, anonymous access etc, but none are perfect and comes with consequences.

So how can I get the picture to be shown without messing with security, cross domain issues etc. Fortunately I guess I was not the only one that was annoyed by this (most likely everyone using Office 365 as well) so the SharePoint team has added a new feature to SharePoint that allows us to show profile pictures cross-domain.

It’s a very simple operation and just requires some basic PowerShell skills. Basically all you need to do is to set the CrossDomainPhotosEnabled property on the SPWebApplication object to true, like this:

asnp Microsoft.SharePoint.PowerShell
$wa = Get-SPWebApplication http://intranet.contoso.com
$wa.CrossDomainPhotosEnabled = $true
$wa.Update()

Now the Newsfeed, in the sample above, will look like below. And I was not prompted for any authentication or anything! Isn’t that sweet! And it works very well on Host Named Site Collections as well.

Look at that guy!

Basically what happens behind the scenes is that the request for the user picture is sent via a “proxy” .aspx page called userphoto.aspx which takes a couple of parameters; URL of the picture, the account name (or e-mail) as well as the picture size (S, M or L). This page will return a JPEG stream of the user profile picture without crossing any domains on the client side.

I hope this little nugget will save you and your customers a lot of time and annoyance..

17 Comments

  • Bryan Porter said

    Excellent find. I saw many customers in 2010 days roll their own solutions to this problem using an _layouts deployed proxy page; good to see that pattern made its way into the product!

  • David Price said

    I'm not sure how to get this working on Office 365...

    I get:
    The Windows PowerShell snap-in 'Microsoft.SharePoint.PowerShell' is not installed on this computer.

    If I ignore the first line I get:
    The term 'Get-SPWebApplication' is not recognized as the name of a cmdlet.

    Is this a limitation of SharePoint 2013 Online or am I missing something?

  • Wictor said

    @David Price: This is a SharePoint 2013 On-Premise only configuration option. You do not have access to do this in the SPO farms.

  • Alla said

    Hey there.

    We are currently having this issue with a client and tried the powershell command. It didnt seem to solve it for us.
    We have a list of contacts on an intranet page. The image URL that comes back seems to be a URL for the F5 external access site even though we are accessing the pages from within the network.

    Do you have any recommendations for this? Could it have something todo with F5?

  • Gabriel Serrão said

    Hi Wictor, whats up?

    I was needing for something like that a long time ago, since my first Sharepoint 2010 environment.

    Unfortunatelly, your solution not worked for me. Could you help me?

    I´m acessing my site through the internet using AAM. Every time, i have to reauthenticate twice. So, after I changed the property to true, the profile picture disappeared. Its referenced by a long encoded URL like this:

    https://intranet.contoso.com/_layouts/15/userphoto.aspx?size=S&url=https%3A%2F%2Fmysite.contoso.com%3A443%2FUser%2520Photos%2FImagens%2520de%2520Perfil%2Fgserrao_SThumb.jpg%3Ft%3D63516514879&accountname=Domain%5CGSerrao&t=999999999

    When i try to get this URL, i got the default profile image.

    But, if i decode just the tail of url, i got:

    https://mysite.contoso.com:443/User%20Photos/Imagens%20de%20Perfil/gserrao_SThumb.jpg?t=999999999&accountname=Domain\User&t=999999999, i got the correct profile photo.

    What i have to do? What did i forgot?

    Thanks in advance!

  • Robert Lindgren said

    Great article!

    The hint about the proxy-page helped me implement this in my custom webparts as well. Before they where behaving a bit odd in Chrome.

Comments have been disabled for this content.

About Wictor...

Wictor Wilén is the Nordic Digital Workplace Lead working at Avanade. Wictor has achieved the Microsoft Certified Architect (MCA) - SharePoint 2010, Microsoft Certified Solutions Master (MCSM) - SharePoint  and Microsoft Certified Master (MCM) - SharePoint 2010 certifications. He has also been awarded Microsoft Most Valuable Professional (MVP) for seven consecutive years.

And a word from our sponsors...