ISSUE
When Attempting to start the User Profile Synchronization service in Central Administration, the service goes into a starting state for a couple of minutes and then stops, usual this happens because of permissions (DB account not local admin etc..), however it would appear that if you slipstream and install SharePoint with SP1 and June 2011 included and then try and start the service it can still fail.
CAUSE
You find this will happen if your Domain contains Windows Server 2003 Domain Controllers.
The reason for this is due to a Kerberos ticket not be able to generate for the OWSTIMER Account (this is normally the DB Account) as it doesn’t contain an SPN please see Yvan’s Blog article for more information: http://blogs.msdn.com/b/yvan_duhamel/archive/2010/06/29/you-get-a-system-security-securityexception-when-you-try-to-start-the-fim-synchronization.aspx
RESOLUTION
Run
setspn –a NONE/NONE OWSTimerAccount
OWSTimerAccount = this is normally the FarmDBAccount.
ERRORS:
Using ULViewer downloadable from http://archive.msdn.microsoft.com/ULSViewer
You will see the following errors
User Profile Application: Unable to load satellite assembly for lcid 1033. Using neutral language assembly version. Exception details: System.IO.FileNotFoundException: Could not load file or assembly ‘Microsoft.Office.Server.Intl.resources, Version=14.0.0.0, Culture=en, PublicKeyToken=71e9bce111e9429c’ or one of its dependencies. The system cannot find the file specified. File name: ‘Microsoft.Office.Server.Intl.resources, Version=14.0.0.0, Culture=en, PublicKeyToken=71e9bce111e9429c’ —> System.IO.FileNotFoundException: Could not load file or assembly ‘Microsoft.Office.Server.Intl.resources, Version=14.0.0.0, Culture=en, PublicKeyToken=71e9bce111e9429c’ or one of its dependencies. The system cannot find the file specified. File name: ‘Microsoft.Office.Server.Intl.resources, Version=14.0.0.0, Culture=en, PublicKeyToken=71e9bce111e9429c’ WRN: Assembly binding logging is turned OFF. To enable assembly bind failure logging, set the registry value [HKLMSoftwareMicrosoftFusion!EnableLog] (DWORD) to 1. Note: There is some performance penalty associated with assembly bind failure logging. To turn this feature off, remove the registry value [HKLMSoftwareMicrosoftFusion!EnableLog].
at System.Reflection.Assembly._nLoad(AssemblyName fileName, String codeBase, Evidence assemblySecurity, Assembly locationHint, StackCrawlMark& stackMark, Boolean throwOnFileNotFound, Boolean forIntrospection)
at System.Reflection.Assembly.InternalGetSatelliteAssembly(CultureInfo culture, Version version, Boolean throwOnFileNotFound)
at Microsoft.Office.Server.Administration.UserProfileApplication.GetIntlDllFileVersionString(Int32 lcid)
UserProfileApplication.SynchronizeMIIS: Failed to configure ILM, will attempt during next rerun. Exception: System.Security.SecurityException: There are currently no logon servers available to service the logon request.
at System.Security.Principal.WindowsIdentity.KerbS4ULogon(String upn)
at System.Security.Principal.WindowsIdentity..ctor(String sUserPrincipalName, String type)
at System.Security.Principal.WindowsIdentity..ctor(String sUserPrincipalName)
at Microsoft.IdentityManagement.SetupUtils.IlmWSSetup.GetDomainAccountSIDHexString(String domainName, String accountName)
at Microsoft.IdentityManagement.SetupUtils.IlmWSSetup.GrantSQLRightsToServiceAccount()
at Microsoft.IdentityManagement.SetupUtils.IlmWSSetup.IlmBuildDatabase()
at Microsoft.Office.Server.UserProfiles.Synchronization.ILMPostSetupConfiguration.ConfigureIlmWebService(Boolean existingDatabase)
at Microsoft.Office.Server.Administration.UserProfileApplication.SetupSynchronizationService(ProfileSynchronizationServiceInstance profileSyncInstance) The Zone of the assembly that failed was: MyComputer.
In the Security event log you will see the following at the point of provisioning the Service.
An account failed to log on.
Subject:
Security ID: DomainFarmDBAccount
Account Name: FarmDBAccount
Account Domain: Domain
Logon ID: 0x313b2
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name:
Account Domain:
Failure Information:
Failure Reason: An Error occured during Logon.
Status: 0xc000005e
Sub Status: 0×0
Process Information:
Caller Process ID: 0xa98
Caller Process Name: C:Program FilesCommon FilesMicrosoft SharedWeb Server Extensions14BINOWSTIMER.EXE
Network Information:
Workstation Name: SERVER
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: C
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
