When I want to start the “User Profile Synchronization Service”, it got stuck in starting mode for a few minutes and after that stops again.
As you know, this service wants to start two other dependent service:
- ForeFront Identity Manager Service
- ForeFront Identity Manager Synchronization Service
When I hit the start button of “User Profile Synchronization Service”, after a couple of minutes, the “ForeFront Identity Manager Synchronization Service” successfully starts, but the “ForeFront Identity Manager Service” never starts and after a more couple of minutes, the “ForeFront Identity Manager Synchronization Service” stops and “User Profile Synchronization Service” goes from starting mode to stopped.
I searched the ULS log for this service and found out this entry:
UserProfileApplication.SynchronizeMIIS: Failed to configure ILM, will attempt during next rerun. Exception: System.Security.SecurityException: There are currently no logon servers available to service the logon request.
at System.Security.Principal.WindowsIdentity.KerbS4ULogon(String upn)
at System.Security.Principal.WindowsIdentity..ctor(String sUserPrincipalName, String type)
at System.Security.Principal.WindowsIdentity..ctor(String sUserPrincipalName)
at Microsoft.IdentityManagement.SetupUtils.IlmWSSetup.GetDomainAccountSIDHexString(String domainName, String accountName)
at Microsoft.Office.Server.UserProfiles.Synchronization.ILMPostSetupConfiguration.ConfigureIlmWebService(Boolean existingDatabase)
at Microsoft.Office.Server.Administration.UserProfileApplication.SetupSynchronizationService(ProfileSynchronizationServiceInstance profileSyncInstance) The Zone of the assembly that failed was: MyComputer.
I do not use the Kerberos in my environment.
What should I do?
This is an error that is all to common..easiest way is to try to start the synch with the farm account and it has to be local admin on the server while you do this. If this fails anyway, do the UPS all over.
Use these two links as reference, best there is on UPS issues:
Rational Guide to implementing SharePoint Server 2010 User Profile Synchronization
or you start t-shooting:
“Stuck on Starting”: Common Issues with SharePoint Server 2010 User Profile Synchronization
If you redo UPS by the Harbar guide, it will work.
Thomas Balkeståhl - Technical Specialist - SharePoint - http://blksthl.wordpress.com
Thanks Thomas for your reply.
the farm account is in the local admin group and i fixed all of the mentioned issues on Harbar guide.
but still i have this problem
moreover, our Active Directory functional level is 2003, but we have also 2008 servers
do you have any other comment?
- Edited by Farshid Mahdavipour Monday, February 27, 2012 2:19 PM
From the error message you had mentioned, the reason is related to Kerberos, the detailed explanation is as follows:
OWSTIMER process tries to get a service ticket for itself (a TGS with Sname/SPN = the OWSTIMER account) that contains information about itself (this is called S4U2Self).
However, a security feature introduced in Windows Server 2003 prevents the KDC to distribute a TGS for an account that does not have a SPN defined, as explained in this TechNet article (http://technet.microsoft.com/fr-fr/library/cc772815(WS.10).aspx):
It is very easy to fix, all you need is to add a fake SPN, whatever it is, to the OWSTimer account, so that KDC will allow to distribute a ticket for that account. For example:
setspn –a NONE/NONE OWSTimerAccount
Rock Wang TechNet Community Support
Thanks Rock for your response
I set the SPN and delete the UPA and create it again but still the problem exists with the same signature in ULS.
do you any other idea?
I have another clue!
i setup a virtual machine on windows 2008 server and WITHOUT active directory service, i installed SharePoint 2010. When i wanted to start the UPS, it will stop with the same signature above. Actually it is no difference between no active directory service in the network and my current situation!
User profile sync does not support sql authentication to the database server, if you are using sql authentication then this will be the problem. It is not very clear that this is not supported in the MS documentation. This is a known issue by Microsoft with currently no resolution.
According to my analysis, this issue is related to a lower level Kerberos therefore Active Directory issue. Please check your domain functional level, make sure either it is 2003 or 2008.
In addition, please try the following steps to fix the issue:
1.Grant authenticated users read permissions to the service account
a. Go into Active Directory Users and Computers snap-in
b. Click View…Advanced Features on the menu
c. Find my service account in the directory
d. Right-click on it and select Properties from the menu
e. Click on the Security tab
f. Click on Authenticated Users in the top part of the dialog
g. Check the Read box in the Allow column
h. Click the OK button to save the changes
2. Restart Timer Server
3. Restart IIS.
Rock Wang TechNet Community Support
- Proposed as answer by ChewieDev Saturday, April 07, 2012 4:29 AM
I agree with you, it is an Active Directory issue, but we cannot find out what is the source of this problem!
The domain functional level is 2003 and I checked the OWSTimer service account in the active directory and it already has the Allow Read permission for Authenticated Users.
what should i check next?
I found this article for using ports:
I would like to know if you have ever gotten it to start? If you haven't then I doubt that it is a AD related issue at lkleast not directly related to the synch synch since a sych or connection to the AD is naver made until after you have the synchronization service started and you setup a new connection in UPS settings. Then, you get the option to connect to the AD or any other source for the profile synch.
Did you really do all the steps in Hebars guide, a lot of people think they did but to do it all is complicated and hard. I would if I were you bet on redoing it all, if you have new server, try it there.
Create a script that creates the UPS service app and have its service run with a domain user. Logon as the farm account (added to the local admin group) and run the script. Start the synch service and type in the farm account and its password.
One thing worries me with your description...what exactly do you mean by: 'I setup a virtual machine on windows 2008 server and WITHOUT active directory service'?
Do you mean on a standalone server sing local accounts only? Or what?
Thank you Rock!
After updating to SP1 and Feb12 CU, I could not get UPS to start even with Harbar's instructions. I followed your advice to the letter and it worked!
Remember to be very specific in how you do it:
- I use 2 service accounts, one for the service and one for the import. I set each to be read for Authenticated Users.
- I restarted the SP Timer service on my application server (which runs all my service apps) and the Web front end.
- I retstarted IIS on both servers.
- I set Farm Account in Administrators group on both servers.
- I logged into each as farm account.
- I started the UPS Sync service in Central Admin.
- I waited 1 minute, then iisreset on BOTH servers.
- Refresh Central Admin, still stuck on starting. Waited 1 minute, iisreset on BOTH servers.
- Remove Farm Account from admin groups on both servers.