locked
Error 6306 and "unable to process create message" when trying to create a AD connection RRS feed

  • Question

  • After successfully installed two other farms in others environnement, i'm faced with a problem to create an AD connection in my current farm. The User Profile Service application started successfully and i'm able to view my AD in the connection form. When i validate the connection settings, i received an error "unable to create message". I followed the http://technet.microsoft.com/en-us/library/ee721049.aspx and also the http://www.harbar.net/articles/sp2010ups.aspx without success. I also try to configure it on a new server in the same environnement, same error.

    The error in the event view is eventid 3 and event id 6306 and the error in the ULS is

    0X1470
    originalMaConfiguration.Create or UpdateResource failed

    at step Create Connection  --- Microsoft.ResourceManagement.WebServices.Faults.ServiceFaultException: Unable to process Create message   

     at Microsoft.ResourceManagement.WebServices.Client.ResourceTemplate.CreateResource()   

     at Microsoft.ResourceManagement.WebServices.ResourceManager.CreateResource()   

    at Microsoft.Office.Server.UserProfiles.DirectoryServiceConnection.UpdateInternal()

     

    Thanks !

    Thursday, December 9, 2010 8:58 AM

Answers

  • I've been working on this support request and we fixed the issue by disabling schema classes that were introduced earlier.
    This schema extension added 2 new classes that are auxiliary and are subclass of "person". Auxiliary class must be subclass of "top".

    To check wether you're in this scenario, here is how to proceed.

    1. Export the schema in ldif format through
      Ldifde -f export_1.txt -d cn=schema,cn=configuration,dc=MyDomain,dc=com -r "(&(objectClass=classSchema)(objectClassCategory=3))" -l dn,subClassOf
      (Replace "dc=MyDomain,dc=com" with the distinguished name of your root domain)
      This file will contain all auxiliary classes from the schema with their subClassOf attribute.
    2. In this export_1.txt file, search for class(es) that are not "subClassOf: top"
    3. For each found, check if this auxiliary class is linked to a structural class  though
      Ldifde -f export_2.txt -d cn=schema,cn=configuration,dc=MyDomain,dc=com -r "(auxiliaryClass=<insert class identified in step 2>)"

    As the subClassOf attribute cannot be updated, the solution we applied was to disable the two classes that were "subClassOf: person", as they were not used anymore. If step 3 returned 0 object, then you can disable the class safely. Otherwise, you need to check if it's not used and then dereference them. 

    WARNING: Modifying the schema is a very tricky operation that may cause all your Active Directory to fail. Incorrect modification may require a full forest recovery. See the white paper "Planning for Active Directory Forest Recovery" (http://technet.microsoft.com/fr-fr/library/planning-active-directory-forest-recovery(WS.10).aspx) for more detail on this scenario.

    To unlink the faulty classes, use the Active Directory Schema console, open the properties of the classes spotted in step 3 and, in the relationship tab, remove the faulty class from the "Auxiliary Classes:" box.

    To disable the faulty classes, use the Active Directory Schema console, open the properties of the classes spotted in step 2 and uncheck the "Class is active" box. You can also disable the associated attributes (They can be found un the attributes tab of the class properties).

    Disabled (also called defunct) classes and attributes can be hidden/displayed through the "View\Defunct Objects" option in the contextual menu of both attributes or classes containers.

    Tuesday, June 7, 2011 3:44 PM
  • Hi PaminCambridge,

    After months on this problem, our freshly etablished premium support contact resolved the case. Class were added years ago. They are not used anymore but always active. Once we deactivated them, we were able to create te connection.

    Hopes it help for your case...

    Wednesday, June 8, 2011 5:19 AM

All replies

  • Hello,

     

    Are you trying to create User Profile connection for another domain?

    Firewall between SharePoint server and domain DCs may be the cause for the issue, you can review netmon trace while issue reproduce to see if it is requesting a blocked port.

     

     

    Thanks & Regards.


    Lily Wu
    Thursday, December 16, 2010 6:41 AM
  • Hello,

    Thanks for your post.

    No the firewalls are off. Here are more details on my case :

    1. The ILM configuration finished successfully :

      UserProfileApplication.SynchronizeMIIS: End setup for 'User Profile Service Application'.

    2. I checked with sucess that the two services ForeFront Identity Manager are in state "started"

    3. As the FIM is on the same server that the central administration, i made an IIS Reset

    4. I configure the synchronization connections without SSL and i'm able to populate the container

    5. When i click "OK", i receive the following message "Unable to process Create message" with Correlation ID bbfc8b70-347c-47a2-90a1-1cc17f572449

    6. In the ULS Logs, i have the following error :

      originalMaConfiguration.Create or UpdateResource failed

      at step Create Connection --- Microsoft.ResourceManagement.WebServices.Faults.ServiceFaultException: Unable to process Create message

      at Microsoft.ResourceManagement.WebServices.Client.ResourceTemplate.CreateResource()

      at Microsoft.ResourceManagement.WebServices.ResourceManager.CreateResource()

      at Microsoft.Office.Server.UserProfiles.DirectoryServiceConnection.UpdateInternal()

    7. In the event viewer under "Application", i have the 3 followings errors :

      Error 6306 :

      The server encountered an unexpected error while performing an operation for the client.

      "BAIL: MMS(4804): parser.cpp(3182): 0x80230910 (E_MMS_SCHEMA_CYCLE_IN_CLASS_HIERARCHY)

      BAIL: MMS(4804): parser.cpp(3059): 0x80230910 (E_MMS_SCHEMA_CYCLE_IN_CLASS_HIERARCHY)

      BAIL: MMS(4804): parser.cpp(2896): 0x80230910 (E_MMS_SCHEMA_CYCLE_IN_CLASS_HIERARCHY)

      BAIL: MMS(4804): schema.cpp(106): 0x80230910 (E_MMS_SCHEMA_CYCLE_IN_CLASS_HIERARCHY)

      ERR: MMS(4804): mastate.cpp(12395): Error creating MA schema object: 0x80230910

      BAIL: MMS(4804): mastate.cpp(12705): 0x80230910 (E_MMS_SCHEMA_CYCLE_IN_CLASS_HIERARCHY)

      BAIL: MMS(4804): mastate.cpp(1673): 0x80230910 (E_MMS_SCHEMA_CYCLE_IN_CLASS_HIERARCHY)

      BAIL: MMS(4804): server.cpp(964): 0x80230910 (E_MMS_SCHEMA_CYCLE_IN_CLASS_HIERARCHY)

      Forefront Identity Manager 4.0.2450.11"




      Error 3 :

      Microsoft.ResourceManagement.ResourceManagementException: Exception from HRESULT: 0x80230910 ---> System.Runtime.InteropServices.COMException (0x80230910): Exception from HRESULT: 0x80230910

      at MIISRCW.IMMSServer.CreateMA(String pszMADataXML, String& ppszUpdatedXML)

      at Microsoft.ResourceManagement.SyncConfig.CreateMA(String maData, String& returnString)

      at Microsoft.ResourceManagement.ActionProcessor.SyncConfigActionProcessor.Create(String typeName, IList`1 createParameters, Guid creator, Guid cause)

      --- End of inner exception stack trace ---



      Error 3 (again) :

      Microsoft.ResourceManagement.Service: Microsoft.ResourceManagement.ResourceManagementException: Exception from HRESULT: 0x80230910 ---> System.Runtime.InteropServices.COMException (0x80230910): Exception from HRESULT: 0x80230910

      at MIISRCW.IMMSServer.CreateMA(String pszMADataXML, String& ppszUpdatedXML)

      at Microsoft.ResourceManagement.SyncConfig.CreateMA(String maData, String& returnString)

      at Microsoft.ResourceManagement.ActionProcessor.SyncConfigActionProcessor.Create(String typeName, IList`1 createParameters, Guid creator, Guid cause)

      --- End of inner exception stack trace ---

      at Microsoft.ResourceManagement.ActionProcessor.SyncConfigActionProcessor.Create(String typeName, IList`1 createParameters, Guid creator, Guid cause)

      at Microsoft.ResourceManagement.ActionProcessor.SyncConfigActionProcessor.ProcessInputRequest(RequestType request)

      at Microsoft.ResourceManagement.ActionProcessor.ActionDispatcher.ProcessInputRequest(RequestType request)

      at Microsoft.ResourceManagement.WebServices.RequestDispatcher.ExecuteAction(RequestType request)

      at Microsoft.ResourceManagement.WebServices.RequestDispatcher.ExecuteAction[ResponseBodyType](RequestType request)

      at Microsoft.ResourceManagement.WebServices.RequestDispatcher.DispatchRequest[ResponseBodyType](RequestType request, Guid requestIdentifier, Object redispatchSingleInstanceKey)

      at Microsoft.ResourceManagement.WebServices.RequestDispatcher.DispatchRequest[ResponseBodyType](RequestType request)

      at Microsoft.ResourceManagement.WebServices.ResourceManagementService.Create(Message request)

    8. When i analyze the traffic with WireShark, some values seems to be truncated (domain name, username, but not the server name) during the ldap bind request :

          207 4.791444    160.98.XX.XX         160.98.XX.XX       LDAP     bindRequest(126) "<ROOT>" , NTLMSSP_AUTH, User: s\hsasl

      Lightweight Directory Access Protocol

          LDAPMessage bindRequest(198) "<ROOT>" sasl

              messageID: 198

              protocolOp: bindRequest (0)

                  bindRequest

                      version: 3

                      name:

                      authentication: sasl (3)

                          sasl

                              mechanism: GSS-SPNEGO

                              credentials: 4e5...

                              GSS-API Generic Security Service Application Program Interface

                                  NTLM Secure Service Provider

                                      NTLMSSP identifier: NTLMSSP

                                      NTLM Message Type: NTLMSSP_AUTH (0x00000003)

                                      Lan Manager Response: 45ee78cca002d17f00000000000000000000000000000000

                                          Length: 24

                                          Maxlen: 24

                                          Offset: 138

                                      NTLM Client Challenge: 45ee78cca002d17f

                                      NTLM Response: cf68d524d4cf46b551ad7a71dc2a156f8db04e4c44d66f46

                                          Length: 24

                                          Maxlen: 24

                                          Offset: 162

                                       Domain name: s  
                                       
      Length: 8

                                          Maxlen: 8

                                          Offset: 88

                                     User name: h
                                         
      Length: 18

                                          Maxlen: 18

                                          Offset: 96

                                      Host name: HEFRSPSDEV04

                                          Length: 24

                                          Maxlen: 24

                                          Offset: 114

                                      Session Key: 5b300527537995418c8515868b9878fd

                                          Length: 16

                                          Maxlen: 16

                                          Offset: 18




      I have compared this trace with an another domain where i configured the connection sucessfully, and the domain name and the username was complete in this trace !!!!!! Any ideas ?

      Many thanks for your help !

      No.     Time        Source                Destination           Protocol Info...
    • Edited by raphael.guisolan Friday, December 17, 2010 11:25 AM add more details
    Friday, December 17, 2010 7:37 AM
  • And of course, as the domain name and the username of the preceding request was not completed, the response of the Active Directory is :

     No.     Time        Source                Destination           Protocol Info

        743 7.225165    160.98.XX.XX   160.98.XX.XX        LDAP     bindResponse(198) invalidCredentials (8009030C: LdapErr: DSID-0C0904D0, comment: AcceptSecurityContext error, data 52e, v1db0)

    Many thanks for any help !

    Friday, December 17, 2010 11:28 AM
  • I have this exact same issue.  Is your domain a mixed forest with multiple domains and 2008 and 2003 domain controllers?  I think Sharepoint isn't configuring the domain settings right during the auto discovery.  That's my theory. 
    Monday, December 20, 2010 7:13 PM
  • I opened a case by Microsoft last week, i'm waiting....

    We have one forest with a domain and his "child" domain. Three domain controllers in 2008 version, but always updated since 2000.

    I have a another similar infrastructure where i tested it without problem... :-( i can't find the difference...

    Monday, December 20, 2010 7:50 PM
  • Raphael,

    Hmmm, that's really interesting that you have a similar infrastructure and yet can't reproduce the problem.  I'd be interested in what Microsoft says.  Have you looked at how each of your environments are set up with regards to netbios verses FQDN?  My current theory on this is that because Sharepoint now kind of "wizard-ified" the user profile configuration, the domain name is not being picked up correctly in some environments ... and there is no good way to manually override the autodiscovery of domain. 

    My reason for thinking that is that I had to install a Sharepoint 2007 dev environment on the same domain at the same time I was installing 2010 and I noticed that autopopulated domain name under the SSP - User Profile and Properties - Manage Connections the auto discovery selected the wrong domain name.  The difference being that I could edit it in 2007 and get the right domain hooked up.

    Good luck with Microsoft.  Hopefully they can help you fix this super annoying problem.

     

     

     

    Thursday, December 23, 2010 3:35 PM
  • Hi PaminCambridge,

    After 2 weeks of investiguations with Microsoft Support, this problem have to be "scaled".

    So... we wait...

    Wednesday, January 5, 2011 4:03 PM
  • Raphael,

    Well, that is bad news and good news.  Bad we have to wait and good in that this is not something simple that we have overlooked.  Thanks so much for the followup.  Good luck!!!

    Tuesday, January 11, 2011 6:30 PM
  • Anything from MS yet? Thanks!
    Wednesday, February 9, 2011 1:46 AM
  • No, my last session with Microsoft was yesterday. The case has been escalated. They are now working on ULS logs and network traces. The problem seems deep but should be from an AD configuration/topology that is not supported by the FIM. Maybe....
    Wednesday, February 9, 2011 6:45 AM
  • Rapael,

    Did Microsoft resolve this for you?

     

    I just applied the February CU and that did not help.  Same message.

    Monday, March 14, 2011 5:08 PM
  • Feb CU worked for me. Make sure you recreate the UPA and don't forget to restart the timer service.
    Monday, March 14, 2011 5:12 PM
  • Unfortunately, still the same error, even after recreate the service application and restart the timer service :-( :-( :-( Thanks for the advice.

    Dear PaminCambridge, we are obviously in the same situation for months, did you also opened a Microsoft case ? Mine is still open, even after 4 months made of sessions and sessions...

    Tuesday, March 15, 2011 1:25 PM
  • Yes.  I opened a case.  No resolution as of yet.
    Wednesday, March 23, 2011 7:15 PM
  • Anyone have an update on this.  I have opened a ticket with Microsoft and they are suggesting that this is an AD issue and have assigned an AD person to my case.
    Monday, May 2, 2011 5:46 PM
  • I've been working on this support request and we fixed the issue by disabling schema classes that were introduced earlier.
    This schema extension added 2 new classes that are auxiliary and are subclass of "person". Auxiliary class must be subclass of "top".

    To check wether you're in this scenario, here is how to proceed.

    1. Export the schema in ldif format through
      Ldifde -f export_1.txt -d cn=schema,cn=configuration,dc=MyDomain,dc=com -r "(&(objectClass=classSchema)(objectClassCategory=3))" -l dn,subClassOf
      (Replace "dc=MyDomain,dc=com" with the distinguished name of your root domain)
      This file will contain all auxiliary classes from the schema with their subClassOf attribute.
    2. In this export_1.txt file, search for class(es) that are not "subClassOf: top"
    3. For each found, check if this auxiliary class is linked to a structural class  though
      Ldifde -f export_2.txt -d cn=schema,cn=configuration,dc=MyDomain,dc=com -r "(auxiliaryClass=<insert class identified in step 2>)"

    As the subClassOf attribute cannot be updated, the solution we applied was to disable the two classes that were "subClassOf: person", as they were not used anymore. If step 3 returned 0 object, then you can disable the class safely. Otherwise, you need to check if it's not used and then dereference them. 

    WARNING: Modifying the schema is a very tricky operation that may cause all your Active Directory to fail. Incorrect modification may require a full forest recovery. See the white paper "Planning for Active Directory Forest Recovery" (http://technet.microsoft.com/fr-fr/library/planning-active-directory-forest-recovery(WS.10).aspx) for more detail on this scenario.

    To unlink the faulty classes, use the Active Directory Schema console, open the properties of the classes spotted in step 3 and, in the relationship tab, remove the faulty class from the "Auxiliary Classes:" box.

    To disable the faulty classes, use the Active Directory Schema console, open the properties of the classes spotted in step 2 and uncheck the "Class is active" box. You can also disable the associated attributes (They can be found un the attributes tab of the class properties).

    Disabled (also called defunct) classes and attributes can be hidden/displayed through the "View\Defunct Objects" option in the contextual menu of both attributes or classes containers.

    Tuesday, June 7, 2011 3:44 PM
  • Hi PaminCambridge,

    After months on this problem, our freshly etablished premium support contact resolved the case. Class were added years ago. They are not used anymore but always active. Once we deactivated them, we were able to create te connection.

    Hopes it help for your case...

    Wednesday, June 8, 2011 5:19 AM
  • Hi Raphael,

    That's great news!  I have forwarded this thread to my Microsoft Support resources and hopefully this might shed some light on what's going on in my environment. 

     

    Thanks so much for passing along your solution.  :)  It's been a looooong six months. 

    Thursday, June 23, 2011 1:40 PM
  • Hi Raphael,

    After executing the script in the 1st point you mention, the result contains only subclasses of TOP, therefore it makes no sense to move forward, which also leaves me with initial problem intact.

    I must say that in one of the prior to SharePoint 2010 pre-SP1 farm the connection was succesfull from the without any issues. Could it be related to it??

     

    Thank you kindly for your answer,

    C:\Marius

    Sunday, July 10, 2011 9:29 PM
  • Marius,

    I definitely think it is related because their was a "fix" inside SP1 for the user profile.  Microsoft just released a different version for SP1...and in SP1 R2 <eye roll>.  You might want to try applying that instead.  Good luck.

    Thursday, July 14, 2011 1:38 PM
  • Hi,

    Any one has solution for this issue.

    I am trying to create a profile sync connection to another AD ( it has only one domain but different from the domain controller where my sharepoint resides) and I get following error. It successfully the query the containers.

    "unable to process create message".

    In sharepoint log, the error details are as below:

    originalMaConfiguration.Create or UpdateResource failed at step Create Connection  --- Microsoft.ResourceManagement.WebServices.Faults.ServiceFaultException: Unable to process Create message     at Microsoft.ResourceManagement.WebServices.Client.ResourceTemplate.CreateResource()     at Microsoft.ResourceManagement.WebServices.ResourceManager.CreateResource()     at Microsoft.Office.Server.UserProfiles.DirectoryServiceConnection.UpdateInternal() 6bb03706-46db-400d-a2aa-41087ab2e1b3

    Please advise.

    Regards, Naush

    Friday, March 8, 2013 2:51 PM