User Profile Synchronization Service failed to start due to Kerberos issue

If you’ve reached this page and its the first one you’ve read about setting up the SharePoint user profile synchronization service I would highly recommend making sure you have read in detail this article http://technet.microsoft.com/en-us/library/ee721049.aspx.

If you have read this and are still having issues read on..

So the issue I was having was that after upgrading a MOSS 2007 server to SharePoint 2010 (in place) the User Profile Synchronization service would attempt to start then after 5 minutes or so return to ‘stopped’. At this point I want to make clear that no part of my farm is setup for Kerberos authentication.

Looking into the server logs I found the following logs that looked suspicious:

Security ID:                DOMAIN\farmaccount
Account Name:                farmaccount
Account Domain:                DOMAIN
Logon ID:                0x58732
Logon Type:                        3
Account For Which Logon Failed:
Security ID:                NULL SID
Account Name:               
Account Domain:               
Failure Information:
Failure Reason:                An Error occured during Logon.
Status:                        0xc000005e
Sub Status:                0x0
Process Information:
Caller Process ID:        0xed8
Caller Process Name:        C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\BIN\OWSTIMER.EXE
Network Information:
Workstation Name:        SHAREPOINTSERVER
Source Network Address:        -
Source Port:                -
Detailed Authentication Information:
Logon Process:                C
Authentication Package:        Kerberos
Transited Services:        -
Package Name (NTLM only):        -
Key Length:                0

I also found an entry in the SharePoint Logs:

06/23/2011 10:43:23.73     OWSTIMER.EXE (0x1E2C)    0x1FE8    SharePoint Portal Server     User Profiles   9q15    High    UserProfileApplication.SynchronizeMIIS: Failed to configure ILM, will attempt during next rerun. Exception: System.Security.SecurityException: There are currently no logon servers available to service the logon request.       at System.Security.Principal.WindowsIdentity.KerbS4ULogon(String upn)     at System.Security.Principal.WindowsIdentity..ctor(String sUserPrincipalName, String type)     at System.Security.Principal.WindowsIdentity..ctor(String sUserPrincipalName)     at Microsoft.IdentityManagement.SetupUtils.IlmWSSetup.GetDomainAccountSIDHexString(String domainName, String accountName)     at Microsoft.IdentityManagement.SetupUtils.IlmWSSetup.GrantSQLRightsToServiceAccount()     at Microsoft.IdentityManagement.SetupUtils.IlmWSSetup.IlmBuildDatabase()     at Microsoft.Office.Server.Us...   

From researching this I managed to find this blog which suggested the issue is related to Kerberos.

Now this seems strange as my farm is not running Kerberos and nor are the Web Applications so I could have quite easily discarded the blog however stranger things have happened so I followed the blog mentioned and added a Kerberos SPN for the farm account to AD.

Sure enough this fixed the issue and the User Profile Synchronisation Service started and has since worked perfectly.

One thing that to note is that if you remove the SPN after starting the service and it for some reason returns to the stopped state you will need to re-enter the SPN to start the service.

Credit to my colleague James Brennan for assisting in resolving this issue.

2 comments:

Shafaqat Ali said...

I am using same command but getting this message
setspn –a NONE/NONE OWSTimerAccount
Unknown parameter NONE/NONE. Please check your usage.

Paul Grimley said...

This may help.. http://social.technet.microsoft.com/Forums/en-IE/ilm2/thread/e396df7c-3cf1-47b1-8721-d2774a1f8816.

Post a Comment