If you’ve reached this page and its the first one you’ve read about setting up the SharePoint user profile synchronization service I would highly recommend making sure you have read in detail this article http://technet.microsoft.com/en-us/library/ee721049.aspx.
If you have read this and are still having issues read on..
So the issue I was having was that after upgrading a MOSS 2007 server to SharePoint 2010 (in place) the User Profile Synchronization service would attempt to start then after 5 minutes or so return to ‘stopped’. At this point I want to make clear that no part of my farm is setup for Kerberos authentication.
Looking into the server logs I found the following logs that looked suspicious:
Security ID: DOMAIN\farmaccount
Account Name: farmaccount
Account Domain: DOMAIN
Logon ID: 0x58732
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Failure Reason: An Error occured during Logon.
Sub Status: 0x0
Caller Process ID: 0xed8
Caller Process Name: C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\BIN\OWSTIMER.EXE
Workstation Name: SHAREPOINTSERVER
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: C
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
I also found an entry in the SharePoint Logs:
06/23/2011 10:43:23.73 OWSTIMER.EXE (0x1E2C) 0x1FE8 SharePoint Portal Server User Profiles 9q15 High UserProfileApplication.SynchronizeMIIS: Failed to configure ILM, will attempt during next rerun. Exception: System.Security.SecurityException: There are currently no logon servers available to service the logon request. at System.Security.Principal.WindowsIdentity.KerbS4ULogon(String upn) at System.Security.Principal.WindowsIdentity..ctor(String sUserPrincipalName, String type) at System.Security.Principal.WindowsIdentity..ctor(String sUserPrincipalName) at Microsoft.IdentityManagement.SetupUtils.IlmWSSetup.GetDomainAccountSIDHexString(String domainName, String accountName) at Microsoft.IdentityManagement.SetupUtils.IlmWSSetup.GrantSQLRightsToServiceAccount() at Microsoft.IdentityManagement.SetupUtils.IlmWSSetup.IlmBuildDatabase() at Microsoft.Office.Server.Us...
From researching this I managed to find this blog which suggested the issue is related to Kerberos.
Now this seems strange as my farm is not running Kerberos and nor are the Web Applications so I could have quite easily discarded the blog however stranger things have happened so I followed the blog mentioned and added a Kerberos SPN for the farm account to AD.
Sure enough this fixed the issue and the User Profile Synchronisation Service started and has since worked perfectly.
One thing that to note is that if you remove the SPN after starting the service and it for some reason returns to the stopped state you will need to re-enter the SPN to start the service.
Credit to my colleague James Brennan for assisting in resolving this issue.