SharePoint 2016: Some Profile Pictures are not imported from MIM 2016

  • Article

Problem:

Consider the following scenario:
You have SharePoint 2016 set up to import user profiles from Microsoft Identity Manager (MIM) 2016.
You have configured User Profile Pictures (PictureURL property) to import from Active Directory Attribute Thumbnailphoto.
You run the Sync and everything is successful including the MOSS_Export sync step.However, after running the Update-SPProfilePhotoStore command, you notice that only some of the users get a profile picture.Full Command:
Update-SPProfilePhotoStore -createthumbnailsForImportedPhotos $true -MySiteHostLocation https://mysiteHost

Cause:

The account set to run the SharePoint Management Agent (SP MA) in MIM is NOT set to use the SharePoint  Farm service account (the one running the Central Admin app pool and SharePoint Timer service).

Resolution:

The SharePoint MA in MIM needs to be changed to connect as the SharePoint Farm Service Account.

1.  Set proper permissions on the User Profile Service Application (UPA):
Go to Central Administration | Manage Service Applications, and select the row for your User Profile service app.
Choose Permissions in the Ribbon. Add the Farm Service Account there with Full Control.

2.  Set proper permissions on the MySite web app.
Go to Central Admin | Manage Web Applications, choose the Mysite Web App.
Choose User Policy in the Ribbon. Add the Farm Service Account there with Full Control.

3. Change the SharePoint MA account.
In the MIM client, go to Management Agents, and go to the properties of the SharePoint MA.
On the Connectivity page, change the SharePoint User Credential to the SharePoint Farm Service Account, set the password, and choose OK to save.

4.  Force MIM to export all profile pictures again:
In the MIM client, delete the SharePoint connector space.
Go to Management Agents, right-click on the SharePoint MA and choose Delete.
Select “Delete connector space only”, and click ok.
Run an end-to-end Full Sync by running the following PowerShell on the MIM server:
Start-SharePointSync -Confirm:$falseNotes:
-- This is necessary to trigger all the pictures for export to SharePoint again.  If you don’t do this, the pictures will not be exported, even if you do a Full Sync because they have not been changed in Active Directory.
-- There may some errors on MOSS_Export due to deleting the connector space.  Those can typically be ignored. 

5.  Process all GUID_RecordID.jpg pictures into their respective thumbnails by running this PowerShell on a SharePoint server:
Update-SPProfilePhotoStore -createthumbnailsForImportedPhotos $true -MySiteHostLocation https://<yourMySiteHost>

 

6.  Verify we have all the pictures now.
We can compare the number of users in the Metaverse that have values for “photo” with the number of profiles in the Profile DB where “PictureURL” is populated.
If you do a Metaverse Search in the MIM client (miisclient.exe) for Object Type: “person” where the “photo” attribute “Is present”, that should give you a number.  Note: you may have to add the “photo” column to the results pane.


Then run this query against the SharePoint Profile database for comparison: select * from upa.userprofile_Full where pictureurl like 'http%'
Note: These two numbers will not necessarily be exactly the same for several reasons, but they should be relatively close.

 

More Information:

There are two major steps for getting user profile pictures imported into SharePoint using MIM 2016 as the external identity manager.
1.     The Export step for the SharePoint MA creates a single picture within the “User Photos” library at the root of the Mysite host site collection.  The pictures are created in the format of GUID_RecordID.jpg, where GUID is the partitionID, and RecordID is the value of the users recordID in the upa.userprofile_Full table in the Profile database.
Note:   At this point, your users will not show any pictures and the pictureURL column in the UserProfile_Full table in the Profile database will still be blank.

2.     You run “Update-SPProfilePhotoStore -createthumbnailsForImportedPhotos $true” to turn the single GUID_RecordID.jpg picture into three thumbnails (small, medium, and large) and assign the URL for the medium thumbnail (userName_MThumb.jpg) to the corresponding user.
Note:   Now the user should show a picture in their profile and the PictureURL column will be populated.In the scenario described above, the failure occurs at step 1.  I figured that out by getting verbose ULS logs from the server that the SharePoint MA in MIM was pointed to.
Note: normally, this will be the Central Admin server.  The URL on the “Configure Connection Information” page for the SP MA will be pointed at something like this:
https://<CAServer:Portnumber>/_vti_bin/ProfileImportExportService.asmx?ApplicationID=<UPA-Guid>-- It’s best to check the URL that MIM is pointed at for ProfileImportExportService.asmx to make sure you’re getting logs from the right server.-- Turn logging up to verbose and get logs that cover the entire run of the Export step.
-If you’re hitting this problem, you’ll find errors like this:w3wp.exe (0x0AF8) 0x20CC SharePoint Foundation General ai1wu Medium System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)), StackTrace:    at Microsoft.SharePoint.SPWeb.GetList(String strUrl)     at Microsoft.Office.Server.UserProfiles.UserProfileGlobal.LoadPictureLibrary(SPWeb rootWeb, ProfileType profileType)     at Microsoft.Office.Server.UserProfiles.UserProfileGlobal.GetOrCreatePictureFolder(String mySiteHostUrl, ProfileType profileType, Boolean createIfNotFound, Boolean forFeedAttachment)     at Microsoft.Office.Server.UserProfiles.UserProfileGlobal.SaveImportedPictureToLibrary(UserProfileManager userProfileManager, Int64 recordId, Byte[] binaryPicture)     at Microsoft.Office.Server.UserProfiles.UserProfile.BulkPropertiesUpdate(Int64 importExportId, Hashtable properties, String accountName)     at Microsoft.Office.Server.UserProfiles.ProfileImportExportService.<>c__DisplayClass2a.<UpdateWithProfileChangeData>b__28(Int32 idx)     at <truncated> w3wp.exe (0x0AF8) 0x20CC SharePoint Portal Server User Profiles agw5g High SavePictureToLibrary: Error processing the photo URL 0c37852b-34d0-418e-91c6-2ac25af4be5b_54.jpg for user 54: System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))    
 at Microsoft.SharePoint.SPGlobal.HandleUnauthorizedAccessException(UnauthorizedAccessException ex)    
 at Microsoft.SharePoint.Library.SPRequest.GetMetadataForUrl(String bstrUrl, Int32 METADATAFLAGS, Guid& pgListId, Int32& plItemId, Int32& plType, Object& pvarFileOrFolder)    
 at Microsoft.SharePoint.SPWeb.GetList(String strUrl)    
 at Microsoft.Office.Server.UserProfiles.UserProfileGlobal.LoadPictureLibrary(SPWeb rootWeb, ProfileType profileType)    
 at Microsoft.Office.Server.UserProfiles.UserProfileGlobal.GetOrCreatePictureFolder(String mySiteHostUrl, ProfileType profileType, Boolean createIfNotFound, Boolean forFeedAttachment)    
 at Microsoft.Office.Server.UserProfiles.UserProfileGlobal.SaveImportedPictureToLibrary(UserProfileManager userProfileManager, Int64 recordId, Byte[] binaryPicture)

 

Keywords:

SharePoint

Microsoft Identity Manager

FIM Sync
MIM Sync
User Profile Service Application
UPSA
UPA
Pictureurl
Profile picture import export