Link to home
Start Free TrialLog in
Avatar of North-Slope

asked on

Error Starting SharePoint 2010 User Profile Synchronization Service

We're attempting to stand up a SharePoint 2010 Farm using 2 servers.  One for SQL, one for web/application.  Everything installs fine and the user profile service successfully provisions.  When attempting to start the User Profile Synchronization Service through Central Administration, it gets stuck on starting for 10+ minutes then stops.

The ULS reveals the following error:
UserProfileApplication.SynchronizeMIIS: Failed to configure ILM, will attempt during next rerun. Exception: System.Security.SecurityException: The security database on the server does not have a computer account for this workstation trust relationship.      
 at System.Security.Principal.WindowsIdentity.KerbS4ULogon(String upn)    
 at System.Security.Principal.WindowsIdentity..ctor(String sUserPrincipalName, String type)    
 at System.Security.Principal.WindowsIdentity..ctor(String sUserPrincipalName)    
 at Microsoft.IdentityManagement.SetupUtils.IlmWSSetup.GetDomainAccountSIDHexString(String domainName, String accountName)    
 at Microsoft.IdentityManagement.SetupUtils.IlmWSSetup.GrantSQLRightsToServiceAccount()    
 at Microsoft.IdentityManagement.SetupUtils.IlmWSSetup.IlmBuildDatabase()    
 at Microsoft.Office.Server.UserProfiles.Synchronization.ILMPostSetupConfiguration.ConfigureIlmWebService(Boolean existingDatabase)    
 at Microsoft.Office.Server.Administration.UserProfileApplication.SetupSynchronizationService(ProfileSynchronizationServiceInstance profileSyncInstance)  The Zone of the assembly that failed was:  MyComputer.

Open in new window

Tested the secure channel using
nltest /

Open in new window

Both servers come back successful.  I'm able to log in to both servers using the service account running the User Profile Service.  No event log errors while the service attempts to start.
Avatar of QPR
Flag of New Zealand image

Have a look through this guide, as far as ups its a very good article
Avatar of North-Slope

ASKER was used as a  guide for provisioning the service.  Also referenced to try troubleshooting the service being stuck on starting.

The service has been removed and re-provisioned several times.

What strikes me as odd is that the guide and technet article stress permissions for the profile sync account, which doesn't come into play until after the synchronization service is already started and you're ready to create the first synchronization connection in Central Administration.

This very well may be an active directory issue.
Does the account used have query permissions against AD?
Using the account sp.service to run the User Profile Service Application, will also be used for syncing profiles (I know it's not best practice but this is a dev environment).

sp.service has the following permissions:
Replicate Directory Changes on domain (through delegation)
Replicate Directory Changes on cn=configuration container (ADSIEdit)
Member of Pre-Windows 2000 Compatible Access group (Windows 2003 Domain)
Create Child Objects and Write All Properties (through delegation)

The farm account is a local administrator for the provisioning process.

For testing purposes, sp.service was made domain admin.  Same error.

For reference SP1 is installed with the August 2012 CU.
Avatar of North-Slope

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Nice work. Sorry I couldn't help more.
Turned out not be the issue originally asked.