SharePoint : User profile Sync Service Stuck at starting , at Configuring certificates step .


Seen this in couple of Scenarios where stating the UserProfile Sync service is stuck on starting as seen from Central Admin . Looking at the ULS logs filtered on Category ="User Profiles" we can see the ILM configuration step last being executed is Tag 9q1h : ILM Configuration: Configuring certificate.

ULS Log Expert

-------------------------------------

OWSTIMER.EXE SharePoint Portal Server        User Profiles        9i1s        Medium        UserProfileApplication.SynchronizeMIIS: Begin setup for 'UPA1'.        

OWSTIMER.EXE SharePoint Portal Server        User Profiles        g4bo        High         ILM Configuration: The ValidateMiisEncryptionKey process returned True.        

OWSTIMER.EXE SharePoint Portal Server        User Profiles        9i1x        Medium        ILMPostSetupConfiguration: ILM Configuration: Validating installation of SQL Service.        

OWSTIMER.EXE SharePoint Portal Server        User Profiles        9i1y        Medium        ILM Configuration: Validating account.        

OWSTIMER.EXE SharePoint Portal Server        User Profiles        9i20        Medium        ILM Configuration: Validating the system groups        

OWSTIMER.EXE SharePoint Portal Server        User Profiles        9i23        Medium        ILM Configuration: Setting up WMI        

OWSTIMER.EXE SharePoint Portal Server        User Profiles        9i24        Medium        ILM Configuration: Setting required permissions        

OWSTIMER.EXE SharePoint Portal Server        User Profiles        9i26        Medium        ILM Configuration: Create install config file        

OWSTIMER.EXE SharePoint Portal Server        User Profiles        9i28        Medium        ILM Configuration: Update source project        

OWSTIMER.EXE SharePoint Portal Server        User Profiles        9i29        Medium        ILM Configuration: Changing service account credentials        

OWSTIMER.EXE SharePoint Portal Server        User Profiles        d3bo        Medium        ILM Configuration: Setting policy for service account        

OWSTIMER.EXE SharePoint Portal Server        User Profiles        9i2a        Medium        ILM Configuration: Configuring database        

OWSTIMER.EXE SharePoint Portal Server        User Profiles        9i2b        Medium        ILM Configuration: Re-starting mms service

OWSTIMER.EXE SharePoint Portal Server        User Profiles        9i2d        Medium        LM Configuration: Checking mms service        

OWSTIMER.EXE SharePoint Portal Server        User Profiles        9q1e        Medium        ILM Configuration: Configuring XML file       

OWSTIMER.EXE SharePoint Portal Server        User Profiles        9q1f        Medium        ILM Configuration: Checking for existing FIM database        

OWSTIMER.EXE SharePoint Portal Server        User Profiles        9q1h        Medium        ILM Configuration: Configuring certificate.       

During this Step we provision the certificates used by the Forefront Identity manager . Here is how this certificate looks like .

image

 

At times due to multiple provision attempts to Sync service we may end up seeing multiple certs in the Local computer store of Certificate manager & this some times leads to sync service getting stuck at this step & the provisioning process even if retried starts & gets stuck again at this step ,

The Solution to fix this is to remove all the copies the ForeFrontIdentityManager Certificate from all the containers of Certificate Store (Local Computer). Including the Personal Store

Recycle the Sharepoint Timer Service & try to provision the User Profile Synchronization service again & you should see this move forward from that step , unless we get into other issues of Certificate creation itself.

 

image

 

POST BY :Rajan Kapoor [MSFT]


Comments (4)

  1. Filip Bosmans says:

    You sometimes miss a certificate, to make sure nothing is left behind, you can use this:

    set-location cert:

    Get-ChildItem localmachine -recurse | where {$_.Subject -like "*ForeFrontIdentityManager*"}

    You can add "| Remove-Item -DeleteKey" at the end to remove them by the script itself but manual is preferred.

  2. Koen Zomers says:

    I've seen a similar case recently where next to these steps, I also needed to clear the SharePoint config cache files after doing all this to get it to provision correctly again.

  3. Rajan Kapoor [MSFT] says:

    Thanks Filip , This is  good Info & helpful . Thanks  for sharing

  4. Aron says:

    Cheers, I kept unprovisioning the UPS after it not starting , AND removed all the extra certs from the trusted root…. BUT the trick for me was your comment about “All Folders” i had 2 certs in the personal folder . Removed those recycle timer service , Restart UPS sync. All working. Cheers Raj

Skip to main content