You get a System.Security.SecurityException when you try to start the User Profile Synchronization Service

  • Article

Symptom

Under certain condition, you may see this error message when you try to start the FIM Synchronization Service:

UserProfileApplication.SynchronizeMIIS: Failed to configure ILM, will attempt during next rerun. Exception: System.Security.SecurityException: There are currently no logon servers available to service the logon request. at System.Security.Principal.WindowsIdentity.KerbS4ULogon(String upn) at
System.Security.Principal.WindowsIdentity..ctor(String sUserPrincipalName, String type) at System.Security.Principal.WindowsIdentity..ctor(String sUserPrincipalName) at Microsoft.IdentityManagement.SetupUtils.IlmWSSetup.GetDomainAccountSIDHexString(String domainName, String accountName) at
Microsoft.IdentityManagement.SetupUtils.IlmWSSetup.GrantSQLRightsToServiceAccount() at Microsoft.IdentityManagement.SetupUtils.IlmWSSetup.IlmBuildDatabase() at Microsoft.Office.Server.UserProfiles.Synchronization.ILMPostSetupConfiguration.ConfigureIlmWebService(Boolean existingDatabase) at
Microsoft.Office.Server.Administration.UserProfileApplication.SetupSynchronizationService(ProfileSynchronizationServiceInstance profileSyncInstance) The Zone of the assembly that failed was: MyComputer.

 

Cause

The reason is related to Kerberos and is a little bit difficult to explain (as always with Kerberos !). I try to make the most simple possible:

OWSTIMER process tries to get a service ticket for itself (a TGS with Sname/SPN = the OWSTIMER account) that contains information about itself (this is called S4U2Self).

However, a security feature introduced in Windows Server 2003 prevents the KDC to distribute a TGS for an account that does not have a SPN defined, as explained in this technet article (https://technet.microsoft.com/fr-fr/library/cc772815(WS.10).aspx):

“Additionally, in Windows Server 2003, KDCs will not issue a service ticket for an account that does not have an SPN. If a service account were simply a user account with a human-generated password, then that account would be more vulnerable to an offline dictionary attack. For an account without an SPN, the KDC will return KDC_ERR_S_PRINCIPAL_UNKNOWN. However, the context of the error will be KRB_ERR_MUST_USE_USER2USER, which has the description of "Server principal valid for user-to-user only.""”

 

Resolution

It is very easy to fix, all you need is to add a fake SPN, whatever it is, to the OWSTimer account, so that KDC will allow to distribute a ticket for that account. For example:

setspn –a NONE/NONE OWSTimerAccount

Then you can successfully start your service !