You have a standard SharePoint Server 2010 Installation with multiple claim based web applicatons. You have configured a separate web application for the Content and one for the MySites, https://portal.contoso.com and https://pictures.contoso.com
You have also configured claims based authentication with ADFS (Active Directory Federation Services), and users are able to browse the sites.
You observe the following behavior:
The response after getting the Cookie for the host pictures.contoso.com contains:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
<meta name="generator" content="HTML Tidy for Windows (vers 14 February 2006), see www.w3.org" />
<form method="post" name="hiddenform" action="https://pictures.contoso.com/_trust/default.aspx" id="hiddenform">
<input type="hidden" name="wa" value="wsignin1.0" />
<input type="hidden" name="wresult" value="trimmedthecontents" />
<input type="hidden" name="wctx" value="https://pictures.contoso.com/_layouts/Authenticate.aspx?Source=2Fimage%2Epng" />
<p>Script is disabled. Click Submit to continue.</p>
<input type="submit" value="Submit" />
The java script initiates a post back in order for the STS to set needed authentication cookies. Since were still in the original IE context, IE assumes this is a cross-site scripting attack (XSS) and the Jscript is prevented from running.
Whenever forms based authentication or trusted authentication (like ADFS) are used, the authentication session is scoped to the hostname. This means that a login to the content web application does not imply a login to the mysite web application. When using classic NTLM or claims-windows, the authentication mechanism is invisible to the client, which allows the configuration to work properly.
In order to fix the problem, a change will need to be made to the architecture. This can mean anything from merging the web applications to changing the authentication mechanism to using claims-windows. You can also look at ways to make the pictures available anonymously.
Raksta ID: 2532395. Pēdējo reizi pārskatīts: 2011. gada 22. maijs. Pārskatījums: 1