Proxy Configuration issues with UPA in SharePoint 2010 /2013
This post talks about various issues seen in User Profile Service application configuration due to Web Proxy configurations. As the User Profile Import using the FIM has not changed in SharePoint 2013 these would apply to SharePoint 2013 as well.
Issue 1: Unable to start the User Profile Synchronization Service, This fails after 3 retries.
You see event ID 3 & 234 are logged in Application Event logs on the server where Sync service is being provisioned
Log Name: Application
Source: ILM Web Service Configuration
Event ID: 234
Task Category: None
Level: Warning
Computer: ServerName.domain.com
Description:
ILM Certificate could not be created: netsh http error:netsh http add urlacl url=https://+:5726/ user=Domain\Spadmin sddl=D:(A;;GA;;;S-1-5-21-3995503830-178758855-2493544469-25442)
Log Name: Application
Source: Forefront Identity Manager
Date: [Date and Time]
Event ID: 3
Level: Error
Computer: ServerName.Domain.com
Description:
.Net SqlClient Data Provider: System.Data.SqlClient.SqlException: HostId is not registered
at Microsoft.ResourceManagement.Utilities.ExceptionManager.ThrowException(Exception exception)
at Microsoft.ResourceManagement.Data.Exception.DataAccessExceptionManager.ThrowException(SqlException innerException)
at Microsoft.ResourceManagement.Data.DataAccess.RetrieveWorkflowDataForHostActivator(Int16 hostId, Int16 pingIntervalSecs, Int32 activeHostedWorkflowDefinitionsSequenceNumber, Int16 workflowControlMessagesMaxPerMinute, Int16 requestRecoveryMaxPerMinute, Int16 requestCleanupMaxPerMinute, Boolean runRequestRecoveryScan, Boolean& doPolicyApplicationDispatch, ReadOnlyCollection`1& activeHostedWorkflowDefinitions, ReadOnlyCollection`1& workflowControlMessages, List`1& requestsToRedispatch)
at Microsoft.ResourceManagement.Workflow.Hosting.HostActivator.RetrieveWorkflowDataForHostActivator()
at Microsoft.ResourceManagement.Workflow.Hosting.HostActivator.ActivateHosts(Object source, ElapsedEventArgs e)
Log Name: Application
Source: Microsoft.ResourceManagement.ServiceHealthSource
Date: [Date and Time]
Event ID: 22
Level: Error
Computer: ServerName.Domain.com
Description:
The Forefront Identity Manager Service cannot connect to the SQL Database Server.
The SQL Server could not be contacted. The connection failure may be due to a network failure, firewall configuration error, or other connection issue. Additionally, the SQL Server connection information could be configured incorrectly.
Verify that the SQL Server is reachable from the Forefront Identity Manager Service computer. Ensure that SQL Server is running, that the network connection is active, and that the firewall is configured properly. Last, verify the connection information has been configured properly. This configuration is stored in the Windows Registry.
Issue 2 : You browse to "Configure Synchronization Connections" page of the User Profile Service Application " & unable to see your Existing Sync connection . Additionally you try to create a New Sync connection & get an error
[Date and Time] PM w3wp.exe (0x1108) 0x1284 SharePoint Portal Server User Profiles d3b3 High LoadConnections failed trying to fill the connections list. Most likely during RetriveResources because of permissions --- {1}. Available parameters: System.ServiceModel.ProtocolException: The remote server returned an unexpected response: (407) Proxy Authentication Required. ---> System.Net.WebException: The remote server returned an error: (407) Proxy Authentication Required. at System.Net.HttpWebRequest.GetResponse() at System.ServiceModel.Channels.HttpChannelFactory.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout) --- End of inner exception stack trace --- Server stack trace:
at System.ServiceModel.Channels.HttpChannelUtilities.ValidateRequestReplyResponse(HttpWebRequest request, HttpWebResponse response, HttpChannelFactory factory, WebException. responseException, ChannelBinding channelBinding) at System.ServiceModel.Channels.HttpChannelFactory.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout) at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout)
at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation) at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message) Exception rethrown at [0]: at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
at System.ServiceModel.Description.IMetadataExchange.Get(Message request)
at Microsoft.ResourceManagement.WebServices.MetadataClient.Get(String dialect, String identifier)
at Microsoft.ResourceManagement.WebServices.Client.ResourceManagementClient.SchemaManagerImplementation.RefreshSchema
at Microsoft.ResourceManagement.WebServices.ResourceManager.get_SchemaManager()
at Microsoft.ResourceManagement.WebServices.ResourceManager..ctor(String typeName, LocaleAwareClientHelper localePreferences, ContextualSecurityToken securityToken)
at Microsoft.Office.Server.UserProfiles.ConnectionManager.LoadConnections(Boolean fForUI) . bdb5f1ce-ab18-48d7-9374-78df992d5a0b
[Date and Time] w3wp.exe (0x1108) 0x1284 SharePoint Portal Server User Profiles a3xu High ConnectionManager.LoadConnections(): Could not find MOSS MA despite being marked as fully configured, was it deleted? bdb5f1ce-ab18-48d7-9374-78df992d5a0b
Issue 3: The Moss_export Step fails, following Error is seen in the ULS logs
System.NullReferenceException: Object reference not set to an instance of an object.
at Microsoft.Office.Server.UserProfiles.ManagementAgent.ProfileImportExportExtension.CreateChangeData(ModificationType modificationType, String[] changedAttributes, CSEntry csentry)
at aMicrosoft.Office.Server.UserProfiles.ManagementAgent.ProfileImportExportExtension.Microsoft.MetadirectoryServices.IMAExtensibleCallExport.ExportEntry(ModificationType modificationType, String[] changedAttributes, CSEntry csentry)
Additionally, when you capture a network capture, one may see traffic going via a proxy & the request fail due to Authentication. Here is a sample capture during Moss_export phase showing the request to MOSS Server being sent via a proxy
5 10:46:02 AM 11/27/2012 0.0197241 miiserver.exe 10.0.11.156 10.0.11.11 HTTP HTTP:Request, POST https://MossServer:5725/ResourceManagementService/MEX {HTTP:8, TCP:7, IPv4:6}
6 10:46:02 AM 11/27/2012 0.0200219 miiserver.exe 10.0.11.11 10.0.11.156 HTTP HTTP:Response, HTTP/1.1, Status: Continue., URL: https://MossServer:5725/ResourceManagementService/MEX {HTTP:8, TCP:7, IPv4:6}
7 10:46:02 AM 11/27/2012 0.0201059 miiserver.exe 10.0.11.156 10.0.11.11 WSTransfer WSTransfer:Metadata Request Message {SOAP:9, HTTP:8, TCP:7, IPv4:6}
8 10:46:02 AM 11/27/2012 0.0208326 miiserver.exe 10.0.11.11 10.0.11.156 HTTP HTTP:Response, HTTP/1.1, Status: Proxy authentication required, URL: https://MossServer:5725/ResourceManagementService/MEX Using Multiple Authentication Methods, see frame details {HTTP:8, TCP:7, IPv4:6}
Steps for resolution
=================
To resolve such issues, we need to identify how the web proxy has been configured in the environment & then either remove it or set bypass on various components involved. Possible ways to identify a proxy,
a) IE configuration
b) From command prompt run the command > Netsh Win http Show Proxy
c) Network capture (using tools like Netmon) from the SharePoint server.
d) Dump the Group policy & confirm if this setting is pushed via a Group policy
e) WPAD Proxy configuration pushed via a DHCP
For UPA One would need to configure bypass for proxy at various components which are involved for Setup, Configuration & working for UPA & they are
a) For Owstimer which provisions UPA at C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\BIN\OWSTIMER.EXE.CONFIG
b) Central Admin site at web.config file for CA Site
c) MiisServer which runs the FIM Sync at C:\Program Files\Microsoft Office Servers\14.0\Synchronization Service\Bin\miiserver.exe.config
d) Forefront Identity Manager service at C:\Program Files\Microsoft Office Servers\14.0\Service\Microsoft.ResourceManagement.Service.exe.config
Note: Change to respective \15 folders for SharePoint 2013
The following example adds three addresses to the bypass list. This is recommended to be done on all the configuration files listed above as described here
------------------------------------------------------------------
< configuration>
< system.net>
< defaultProxy>
< bypasslist>
< add address="[a-z]+\.contoso\.com" />
< add address="192\.168\..*" />
< add address="Netbios name of server" />
< /bypasslist>
< /defaultProxy>
< /system.net>
< /configuration>
-----------------------------------------------------------------
The first bypasses the proxy for all servers in the contoso.com domain;
The second bypasses the proxy for all servers whose IP addresses begin with 192.168.
The Third Bypass entry is for the ServerName
Note: After the Configuration files are updated, you would need to restart the respective service for the changes to take effect.