SharePoint 2010: Unable to start the User profile synchronization service


Its  been commonly observed that working with User profile service application is one of the pain areas of SharePoint 2010. Most of the time, it fails with starting the User profile synchronization service from Central administration site. I was recently working with an issue where the user profile synch service fails to start and it gives the very common error message in the SharePoint ULS logs (as below)

User Profile Application Proxy failed to retrieve partitions from User Profile Application: Microsoft.Office.Server.UserProfiles.UserProfileApplicationNotAvailableException: No User Profile Application available to service the request. Contact your farm administrator.    
at Microsoft.Office.Server.Administration.UserProfileApplicationProxy.get_ApplicationProperties()   
at Microsoft.Office.Server.Administration.UserProfileApplicationProxy.get_PartitionIDs()    
at Microsoft.Office.Server.Administration.UserProfileApplicationProxy.IsAvailable(SPServiceContext serviceContext

By raising the logging level to verbose, we could observe the following error as well.

Exception occured while connecting to WCF endpoint: System.ServiceModel.CommunicationException: The server did not provide a meaningful reply; this might be caused by a contract mismatch, a premature session shutdown or an internal server error.    Server stack trace:     
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)    
at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)    
at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)    Exception rethrown
at [0]:     
at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)    
at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)    
at Microsoft.IdentityModel.Protocols.WSTrust.IWSTrustContract.Issue(Message message)    
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst, RequestSecurityTokenResponse& rstr)    
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst)    
at Microsoft.SharePoint.SPSecurityContext.SecurityTokenForContext(Uri context, Boolean bearerToken, SecurityToken onBehalfOf, SecurityToken actAs, SecurityToken delegateTo)    
at Microsoft.SharePoint.SPSecurityContext.<>c__DisplayClass7.<GetProcessSecurityTokenForServiceContext>b__6()    
at Microsoft.SharePoint.Utilities.SecurityContext.RunAsProcess(CodeToRunElevated secureCode)    
at Microsoft.SharePoint.SPSecurityContext.GetProcessSecurityTokenForServiceContext()    
at Microsoft.SharePoint.SPChannelFactoryOperations.CreateChannelAsProcess[TChannel](ChannelFactory`1 factory, EndpointAddress address, Uri via)    
at Microsoft.SharePoint.SPChannelFactoryOperations.CreateChannelAsProcess[TChannel](ChannelFactory`1 factory, EndpointAddress address)    
at Microsoft.Office.Server.UserProfiles.MossClie

Cause

The authentication for security token service in IIS had "Forms" and "ASP.NET impersonation" enabled. This was preventing the user’s identity to be passed to the security token service and the token service was unable to generate tokens properly.

Resolution

Open up the  IIS Manager on the SharePoint server

  • Expand “Sites”
  • Expand “SharePoint Web Services” and select “SecurityTokenServiceApplication”
  • Double click on “Authentication”(under IIS)
  • Disable “Forms Authentication” and ASP.NET impersonation 
  • Confirm that only Windows and Anonymous Authentication are enabled
  • IISRESET 

1

During the course of troubleshooting we initially suspected the database corruption may be an issue . Verified the DB permissions and created anew configuration DB . That did not resolve the issue . Later we found that even though we can create other service application s(like mms and search service application) , we are unable to access them . Most of them were related to security and that made us suspect "security token service application"

To clarify the above , we tested the security token service application by running the rule

Central administration site -> Monitoring ->review rule definitions ->"The security token service is not available" (under availability)

rule

This shows the below errors in in the system event viewer :

Log Name:      Application
Source:        Microsoft-SharePoint Products-SharePoint Foundation
Event ID:      8306
Task Category: Claims Authentication
Level:         Error
Description:
An exception occurred when trying to issue security token: The server did not provide a meaningful reply; this might be caused by a contract mismatch, a premature session shutdown or an internal server error..
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-SharePoint Products-SharePoint Foundation" Guid="{6FB7E0CD-52E7-47DD-997A-241563931FC2}" />
    <EventID>8306</EventID>
    <Version>14</Version>
    <Level>2</Level>
    <Task>47</Task>
    <Opcode>0</Opcode>
    <Keywords>0x4000000000000000</Keywords>
    <TimeCreated SystemTime="2011-02-01T20:08:31.889137200Z" />
    <EventRecordID>178223</EventRecordID>
    <Correlation ActivityID="{E47AD4F2-E51A-49A2-BAB2-E22243297CEC}" />
    <Execution ProcessID="1072" ThreadID="5060" />
    <Channel>Application</Channel>
    <Computer>FQDN of computer</Computer>
    <Security UserID="S-1-5-21-1037773150-1901201615-623648099-663347" />
  </System>
  <EventData>
    <Data Name="string0">The server did not provide a meaningful reply; this might be caused by a contract mismatch, a premature session shutdown or an internal server error.</Data>
  </EventData>
</Event>

Log Name:      Application
Source:        Microsoft-SharePoint Products-SharePoint Foundation
Event ID:      2138
Task Category: Health
Level:         Warning
Description:
The SharePoint Health Analyzer detected a condition requiring your attention.  The Security Token Service is not available.
The Security Token Service is not issuing tokens. The service could be malfunctioning or in a bad state.
Administrator should try to restart the Security Token Service on the boxes where it is not issuing tokens. If problem persists, further troubleshooting may be available in the KB article. For more information about this rule, see "http://go.microsoft.com/fwlink/?LinkID=160531".
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-SharePoint Products-SharePoint Foundation" Guid="{6FB7E0CD-52E7-47DD-997A-241563931FC2}" />
    <EventID>2138</EventID>
    <Version>14</Version>
   <Level>3</Level>
    <Task>8</Task>
    <Opcode>0</Opcode>
    <Keywords>0x4000000000000000</Keywords>
    <TimeCreated SystemTime="2011-02-01T20:51:16.683910600Z" />
    <EventRecordID>180549</EventRecordID>
    <Correlation ActivityID="{6212567F-596F-42CD-BEDC-2F77864FA2D9}" />
    <Execution ProcessID="1832" ThreadID="4180" />
    <Channel>Application</Channel>
    <Computer>FQDN of computer</Computer>
    <Security UserID="S-1-5-21-1037773150-1901201615-623648099-663347" />
  </System>
  <EventData>
    <Data Name="string0">The Security Token Service is not available.
The Security Token Service is not issuing tokens. The service could be malfunctioning or in a bad state.
Administrator should try to restart the Security Token Service on the boxes where it is not issuing tokens.

OR

“An error occurred while receiving the HTTP response to http://localhost:32843/SecurityTokenServiceApplication/securitytoken.svc. This could be due to the service endpoint binding not using the HTTP protocol. This could also be due to an HTTP request context being aborted by the server (possibly due to the service shutting down). See server logs for more details.”


Comments (12)
  1. Anonymous says:

    i get this error only when the web application is been access for the first time after restarting IIS. i Checked my IIS setting and it was already configured they way it was asked in this article.

    In one another article the solution was to check that Under IIS 7 > Sites > SharePoint Web Services > Authentication > Windows Authentication (enabled) > Advanced Settings > Kernal-mode authentication is selected. This was already checked in my IIS.

    MS released a hotfix support.microsoft.com/…/2465996, while i have Feb/March updated installed.

    is there any solution?

  2. Hi,

    if you want to do a User profile import in SharePoint 2010.. you should have the

    'User Profile Synchronization Service' started. But there are many reason why this

    service wont start. If you have waited for more than 10 mins and the status is

    still showing 'starting' or 'stopped', then it is time to recreate the User Profile

    Service Application. Select the service application and delete it.

    Pre-requisites

    • The farm is running either the Standard or Enterprise version of SharePoint Server

    2010 and you have run the farm configuration wizard. Profile Synchronization does

    not work on a stand-alone installation for SharePoint Server 2010.

    • If you are using Microsoft SQL Server 2008, Microsoft SQL Server 2008 with Service

    Pack 1 (SP1) with Cumulative Update 2 (CU2) (go.microsoft.com/fwlink)

    is required.

    • The WCF hotfix (KB976462)

    for Windows Server 2008 R2 is installed.

    • An instance of the User Profile Service application exists and is started. For more

    information, see

    Create, edit, or delete a User Profile service application (SharePoint Server 2010).

    If you have all of the above set right.. Check the following..

    1. The service account that will be used to User Profile Syncronization (UPS) is the farm account ( the one you used while running the Sharepoint 2010 Products Configuraton Wizard). You can check the farm account by going to CA > Security > Configure Service Accounts > Farm Account

    2. Make sure this service account is a domain account with local administrator permissions

    on WFE servers ( this is required only during the provisioning of UPS, later it can be removed from the Administrators group). Add the farm account to the administrators group and Re-boot

    system ( resetting IIS and Timer service may also work.. if not you have to re-boot)

    3. The Farm account requires the log on locally right on the machine running the User Profile Synchronization (FIMSync) service.

    Grant this right via Local Security Policy or Group Policy on that Machine.

    1. Start > Run > secpol.msc … [Security SettingsLocal PoliciesUser Rights AssignmentAllow Log on Locally] item. In the Local Security Setting tab, Add User or group.

    2. If you are a developer with Domain Controller on the server, or if the "Add User or Group" button is disabled in the previous step, it is probably because the Domain Controller policy takes precedence. In this case, click on Start > Run > gpmc.msc … Domain Controllers > Default Domain Controller Policy .. right-click and edit.

    Locate the [Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentAllow Log on Locally] item. In the Local Security Setting tab, Add User or group.

    3. Run gpupdate to refresh the policy change .

    4. Service account has full control permissions on User Profile Service application. for this goto Central Admin >Application Management >Manage Service Applications >Click on the bar of "User Profile Service Application " (.. dont click on the link). In the ribbon, make sure that under Administrators and Permissions Menu, the service account has full control.

    5. Goto CA > Application Management > Manage Services on Server > User Profile Synchronization Service > Click on Start.. fill in the credentials and start service

    Once all the above is done.. you can start the service.. steps provided here

    Configuring User Profile Service Application in SharePoint Server 2010

    Additionally try the following..

    Grant the Network Service and the farm account; Read & Execute / List folder contents / Read permissions to the 'C:Program FilesMicrosoft Office Servers14.0*' directory.

    Exceptions:

    Logs might show you the following error "Exception trying to write the dbName regkey for MIIS System.Security.SecurityException: Requested registry access is not allowed".

    This is because the service account used to start the user profile sync is not the administrator of the local system and may not have rights to modify the registry.

    Solution is to add the user account to the administrators group and Re-boot

    system.

    UserProfileServiceUserStatisticsWebPart:LoadControl failed

    UserProfileServiceAudienceStatisticsWebPart:LoadControl failed

    UserProfileServiceImportStatisticsWebPart:LoadControl failed

    Exception: System.IO.FileLoadException: The located assembly's manifest definition does not match the assembly reference. (Exception from HRESULT: 0x80131040) at Microsoft.Office.Server.UserProfiles.UserProfileConfigManager.InitializeIlmClient

    Resolution : just do a IISReset.

  3. Anonymous says:

    Terrible!!! Thank you very much! I have broken my mind! First of all, please, check account permissions! Solution solved my problem! Thank you very much!

  4. Hi Mohit,

    could you please be a little more specific ? do you see this issue only once after iisreset? do you see the message in the ULS logs and event viewer? is there any other impact that you could observe ?

  5. server administration says:

    Especially useful article. Myself & my neighbor were preparing to do some research about that. We got a superb book on that matter from our local library and most books were not as descriptive as your information. I am incredibly glad to see such information which I was searching for a long time.

    <a href="http://www.seeksadmin.com">server administration</a>

  6. Christopher says:

    Thank you so very much for fixing my problem!! 🙂

  7. Richard Gallo says:

    Hi There,

    I have been struggling with this isue for weeks now and I can't seem to fix it. I followed these instructions to the TEE, started the application creation from scratch, and I can't get this thing going (still stuck in Starting on the UP Sync service). These two errors are occuring, as per the ULS logs (turned up to Verbose for the User Profile services):

    Error 1:

    09/12/2011 11:07:23.72 w3wp.exe (0x3778) 0x1F58 SharePoint Portal Server User Profiles g11n High UserProfileApplicationProxy.InitializePropertyCache: Microsoft.SharePoint.SPEndpointAddressNotFoundException: There are no addresses available for this application.     at Microsoft.Office.Server.UserProfiles.MossClientBase`1.ExecuteOnChannel(String operationName, CodeBlock codeBlock)     at Microsoft.Office.Server.UserProfiles.ProfilePropertyServiceClient.ExecuteOnChannel(String operationName, CodeBlock codeBlock)     at Microsoft.Office.Server.UserProfiles.ProfilePropertyServiceClient.GetProfileProperties()     at Microsoft.Office.Server.Administration.UserProfileApplicationProxy.RefreshProperties(Guid applicationID)     at Microsoft.Office.Server.Utilities.SPAsyncCache`2.GetValueNow(K key)     at Microsoft.Office.Server.Utilities.SPAsyncCache`2.GetValue(K key, Boolean asynchronous)     at Microsoft.Office.Server.Administration.UserProfileApplicationProxy.InitializePropertyCache() 9287bfda-5dae-4f6e-a1c0-87704725acb4

    Error 2:

    09/12/2011 11:10:00.66 OWSTIMER.EXE (0x19F0) 0x0E24 SharePoint Portal Server User Profiles czx7 High UserProfile.RetrieveUser() Exception: Microsoft.Office.Server.UserProfiles.UserProfileApplicationNotAvailableException: There are no addresses available for this application.     at Microsoft.Office.Server.UserProfiles.ProfileDBCacheServiceClient.GetUserData(UserSearchCriteria searchCriteria)     at Microsoft.Office.Server.UserProfiles.UserProfileCache.GetUserData(UserProfileManager objManager, Nullable`1 recordId, Guid gAcct, String strAcct, Byte[] bSid, String strEmail, Boolean doNotResolveToMasterAccount) fa7a9d72-eb40-4cda-9109-d90a05cbb2ba

    Any ideas???

  8. Sandeep Parandekar says:

    Guys,

    Facing same issue, but this time with SharePoint 2013. None of the above resolve it. can anyone please suggest me something else ?

    Thanks in advance…

  9. susaa says:

    Hai,

    I have a issue it is possible to send a mail to the security group "without" enable Email.It is possible ?

    if it is possible please share me any information regards this issue.

    thanks in advance,

    suresh

  10. Faisal S. Shoail says:

    thanks a million. worked like a charm

  11. Carrie says:

    Having had a very similar problem, along with many other associated problems, which put my work at an altogether unacceptable, extended standstill, I decided to post the resolution I found to as many forums relating to this issue that I could.
    The resolution that I found was one of two things that I did at the same time. (duh – not a smart tactic, but I was getting desperate…) I am not willing to spend the time to isolate the effects of each of these motions, so it could be one, or the other, or
    both.
    1. I noticed that SharePoint was moving the Farm Account Security Managed Account (The user account that Farm Account uses for credentials) from the Administrators group, to the WSS_ADMIN_WPG group. In my case Central Admin was being run on the same machine
    as the SharePoint Server. I run a single server developer environment. So the Farm Account needed “Log on Locally” privileges. WSS_ADMIN_WPG group did not appear to have the needed privilege, where the Administrators group did. Strangely enough though, the
    Administrators group is a member of the WSS_ADMIN_WPG group. So I moved the above mentioned user account back into the Administrators group.

    Let me know if I’m not seeing something here….
    2. Upon examining the SecurityTokenServiceApplicationPool (the name I gave for the Security Token Service’s Application Pool), I notice that the Enable 32-bit Applications setting under the Advanced Settings had been set to True. This to me was strange as I
    remembered installing the 64 bit versions of everything, because the Server machine on which I was working was indeed 64 bit. So I set it to False.
    After those two simple motions I did all the familiar and necessary things to be done to make sure that the system and SharePoint was running with all the latest settings and tried what I had been doing once again, and to my amazement and shock (after having
    tried everything on the internet several times each) it worked! I am now happily moving forward in my work! At least until the next roadblock comes along.
    Weird, dumb and stupid, what were the chances? Maybe it will be worth a quick look for you.

Comments are closed.

Skip to main content