Under certain condition, you may see this error message when you try to start the FIM Synchronization Service:
UserProfileApplication.SynchronizeMIIS: Failed to configure ILM, will attempt during next rerun. Exception: System.Security.SecurityException: There are currently no logon servers available to service the logon request. at System.Security.Principal.WindowsIdentity.KerbS4ULogon(String upn) at
System.Security.Principal.WindowsIdentity..ctor(String sUserPrincipalName, String type) at System.Security.Principal.WindowsIdentity..ctor(String sUserPrincipalName) at Microsoft.IdentityManagement.SetupUtils.IlmWSSetup.GetDomainAccountSIDHexString(String domainName, String accountName) at
Microsoft.IdentityManagement.SetupUtils.IlmWSSetup.GrantSQLRightsToServiceAccount() at Microsoft.IdentityManagement.SetupUtils.IlmWSSetup.IlmBuildDatabase() at Microsoft.Office.Server.UserProfiles.Synchronization.ILMPostSetupConfiguration.ConfigureIlmWebService(Boolean existingDatabase) at
Microsoft.Office.Server.Administration.UserProfileApplication.SetupSynchronizationService(ProfileSynchronizationServiceInstance profileSyncInstance) The Zone of the assembly that failed was: MyComputer.
The reason is related to Kerberos and is a little bit difficult to explain (as always with Kerberos !). I try to make the most simple possible:
OWSTIMER process tries to get a service ticket for itself (a TGS with Sname/SPN = the OWSTIMER account) that contains information about itself (this is called S4U2Self).
However, a security feature introduced in Windows Server 2003 prevents the KDC to distribute a TGS for an account that does not have a SPN defined, as explained in this technet article (http://technet.microsoft.com/fr-fr/library/cc772815(WS.10).aspx):
“Additionally, in Windows Server 2003, KDCs will not issue a service ticket for an account that does not have an SPN. If a service account were simply a user account with a human-generated password, then that account would be more vulnerable to an offline dictionary attack. For an account without an SPN, the KDC will return KDC_ERR_S_PRINCIPAL_UNKNOWN. However, the context of the error will be KRB_ERR_MUST_USE_USER2USER, which has the description of "Server principal valid for user-to-user only.""”
It is very easy to fix, all you need is to add a fake SPN, whatever it is, to the OWSTimer account, so that KDC will allow to distribute a ticket for that account. For example:
setspn –a NONE/NONE OWSTimerAccount
Then you can successfully start your service !