19 thoughts on “User Profile Picture and Certificate Trusts”

  1. Tristan,
    Thankyou for this great article, I dont have an issue with certificates but I think you have answered a question that nobody else seemed to know – how does SP sync convert the picture profile URL field to the binary object in AD. If it does literally go and get the image using the URL then great. Do you think we would need to have that image in SharePoint or could it be on our Intranet for example: http://ourintranet/staffimages/staffnumber123.jpg what I intend to do is set our users image property in sharepoint like the above url. Then sync to AD and see if the image gets exported – do you think that could work? Im also interested to know if sharepoint will deal with that url pointing externally or will I need to create the thumbnails for it to use in its various views… once again thanks for the excellent article!

  2. Hi Greg,

    Sorry about the slow reply. I wrote one earlier today, but I now know not to trust the Windows Phone 7 WordPress app’s comments functionality. It completely swallowed it!

    Anyway… this is an interesting question, because I’m not sure of three things:

    a) does specifying an external URL in the user profile trigger a separate event that grabs the image and loads the picture in to SharePoint?
    b) do the GET events above precede some other event that puts the pictures in SharePoint?
    c) Is it the w3wp.exe for the Service Application or the MIIServer.exe process that will matter most in your scenario?

    I’m guessing that the SharePoint Service Application (w3wp.exe) gets the data and populates it directly in to FIM, which will then export that data to Active Directory. Whether this means the picture never ends up in SharePoint, and the User Profile Synchronisation Service is effectively just a broker for this export, I’m not sure.

    If you’re able to test this I’d be really interested to hear how you get on. If I can find the time I’ll try to test it myself, but time is not something I’ve got much of presently. 🙂



  3. Update: Hi Tristan – I finally found time to test one part of this. I used powershell to set the pictureURL property to our external system. example: pictureURL = http://ourIntranetSite/staffpics/staffID.jpg and this worked – the image shows up in the user profiles and in the my site and also the User photos image library in the mysite host is empty so it hasnt copied the image into SharePoint…
    Then I ran the powershell script to create thumbnails. Update-SPProfilePhotostore -mysitehostlocation “http://” and sure enough a Profile pictures folder is created in the User Photos doc library and the 3 thumbnails are created and the User profile pictureURL property is updated with the Medium size thumbnail url. I havent tried syncing to AD yet but I dont see why that would not work now as its standard procedure from this point on…


  4. Interesting stuff Greg! At least there’s an easy way to get those thumbnails created. I’d still be interested to see if it can export to AD without running the Update-SPProfilePhotostore cmdlet first though. You’ve piqued my curiosity! That could be quite useful in a few scenarios. Thanks again!

  5. Tristen,

    I agree with the other Greg above, great article, thanks for sharing your research!

  6. Hi, thanks for the info’s.
    Quick questions, what format you provided the Root Auth Certificate?


  7. Hiya. I just added the export of the Root CA’s certificate (without private key) through the GUI if I recall correctly. I believe I just exported it by browsing to the site and navigating to the root certificate and exporting it.

  8. Hi Tristan, great article it gives the background info I needed. The only strange thing is that after importing the * certificate in CA plus a IIS reset on both WFE’s the event error still exists but the pictures are stored in User Photos library.

    So it didn’t resolve the Event error logging… Any idea why the user profile (increment or full sync) is causing this?

    Kind regards, Amancio

  9. Hi Amancio. I think you need to import the parent certificate rather than the certificate itself. So if you’ve bought your certificate from Equifax, you export the Equifax Root CA certificate rather than your own SSL certificate, and then you import the root CA certificate in to SharePoint’s Manage Trusts store. Does that help? I’m kind of surprised this gets things working though. Or have you imported? I may not understand your scenario correctly.

  10. I Have farm with user profile and my sites configuredThere is a two trust between the two farms .When I trying to start the user profile synchronization service i had to use the IP address of the Domain controller as the name could be resolved and it kept saying LDAP server is unavailable.

    The user profile service is working and the profiles have imported successfully.

    1) I edited the user profile properties to import the user photos which seems to be working now

    2) But when I edited the picture property and set the direction to export. The crawl showed not success in the FIM logs for DC_export and the photos where not exported.

    I have SSL certificates added to the web front ends . I have also configured AAM.

    But the strange part is
    I get the same messages you got in the successfull export section .
    i.e. Adding x5.09 certificate and the https://site:443/my/User%20Photos/Profile/username.L.jpg

    In the logs i get following errors

    User Profile Application: SynchronizeMIIS encounters an exception: System.NullReference

    Exception: Object reference not set to an instance of an object.
    at Microsoft.Office.Server.UserProfiles.UserProfileImportJob.c__DisplayClass2.

    at Microsoft.SharePoint.SPSecurity.c__DisplayClass5.

    at Microsoft.SharePoint.Utilities.SecurityContext.RunAsProcess(CodeToRunElevated

    at Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges(WaitCallback

    secureCode, Object param)
    at Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges(CodeToRunElevated

    at Microsoft.Office.Server.UserProfiles.UserProfileImportJob.IsTimerJobRunning

    (UserProfileApplicationJob timerJob)
    at Microsoft.Office.Server…. e14cf29c-3eae-0052-f803-6f87d11502318

    EditProprty::_BuilDSMappingList threw exception : System.IO.InvalidDataException:

    Found invalid data while decoding.
    at Microsoft.Office.Server.UserProfiles.Synchronization.DSMLAttribute.get_Syntax()
    at Microsoft.SharePoint.Portal.UserProfiles.AdminUI.EditProperty._BuildDSMappingList

    (SortedList& attributes, Hashtable& propertyDefinitions, Boolean& fHasImports,
    Boolean& fHasExports, Boolean& fHasImportFromSelectedConnection)


    Please can you advise

  11. Hi John. Sorry about the slow and ultimately unhelpful reply. Assuming you’ve also got the certificate chain in SharePoint’s Manage Trusts, I’m afraid I don’t have any ideas. The “Object reference not set to an instance of an object” trace does not give me much to go on.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.