You get a System.Security.SecurityException when you try to start the User Profile Synchronization Service


Symptom

Under certain condition, you may see this error message when you try to start the FIM Synchronization Service:

UserProfileApplication.SynchronizeMIIS: Failed to configure ILM, will attempt during next rerun. Exception: System.Security.SecurityException: There are currently no logon servers available to service the logon request. at System.Security.Principal.WindowsIdentity.KerbS4ULogon(String upn) at
System.Security.Principal.WindowsIdentity..ctor(String sUserPrincipalName, String type) at System.Security.Principal.WindowsIdentity..ctor(String sUserPrincipalName) at Microsoft.IdentityManagement.SetupUtils.IlmWSSetup.GetDomainAccountSIDHexString(String domainName, String accountName) at
Microsoft.IdentityManagement.SetupUtils.IlmWSSetup.GrantSQLRightsToServiceAccount() at Microsoft.IdentityManagement.SetupUtils.IlmWSSetup.IlmBuildDatabase() at Microsoft.Office.Server.UserProfiles.Synchronization.ILMPostSetupConfiguration.ConfigureIlmWebService(Boolean existingDatabase) at
Microsoft.Office.Server.Administration.UserProfileApplication.SetupSynchronizationService(ProfileSynchronizationServiceInstance profileSyncInstance) The Zone of the assembly that failed was: MyComputer.

 

Cause

The reason is related to Kerberos and is a little bit difficult to explain (as always with Kerberos !). I try to make the most simple possible:

OWSTIMER process tries to get a service ticket for itself (a TGS with Sname/SPN = the OWSTIMER account) that contains information about itself (this is called S4U2Self).

However, a security feature introduced in Windows Server 2003 prevents the KDC to distribute a TGS for an account that does not have a SPN defined, as explained in this technet article (http://technet.microsoft.com/fr-fr/library/cc772815(WS.10).aspx):

“Additionally, in Windows Server 2003, KDCs will not issue a service ticket for an account that does not have an SPN. If a service account were simply a user account with a human-generated password, then that account would be more vulnerable to an offline dictionary attack. For an account without an SPN, the KDC will return KDC_ERR_S_PRINCIPAL_UNKNOWN. However, the context of the error will be KRB_ERR_MUST_USE_USER2USER, which has the description of "Server principal valid for user-to-user only.""”

 

Resolution

It is very easy to fix, all you need is to add a fake SPN, whatever it is, to the OWSTimer account, so that KDC will allow to distribute a ticket for that account. For example:

setspn –a NONE/NONE OWSTimerAccount

Then you can successfully start your service !

Comments (3)

  1. Paul Grimley says:

    Many Thanks for sharing this, I had the same issue and you're suggestion worked! I added some further information to my blog entry regarding this http://www.paulgrimley.com/…/user-profile-synchronization-service.html.

  2. I am using same command in power shell but says

    Unknown parameter NONE/NONE.  Please check your usage.

  3. Wolfgang says:

    If you copy & paste the 'setspn –a NONE/NONE OWSTimerAccount '  you'll get the unknown parameter.

    Get rid of the hyphen '-'  and type it in. That fixed it for me.

Skip to main content