SharePoint 2010 multi-tenants and User Profiles Services : do not sync profiles before adding at least one tenant!
Following my previous post on search crawl with multi-tenancy, https://blogs.msdn.com/b/maximeb/archive/2010/10/24/configuring-sharepoint-2010-search-for-crawling-host-name-site-collection-tenants.aspx, I found a little bug when synchronizing user profiles for multi-tenants. As a recap, the setup is the following:
- Services farm with Search, Managed Metadata Services, and User Profile
- Search Content Source : https://hosting.contoso.local
- Hosting farm with tenants for :
- Contoso
- Adventure Works
- Woodgrove
- Active directory :
- Customers OU
- an OU for each tenant under the Customers OU
- Single Web Application hosting all tenants with host-name site collection.
- Note: With 2010, it’s now possible to have more flexible managed paths. it allows you to have an explicit path for /admin, /cthub, and /mysites/personal for each tenants with simply 4 managed paths (total!)
- URLs (okay, I know, they could use some work for real world!!):
- https://hosting.contoso.local (the hosting web application, nobody’s really navigating here)
- https://contoso.contoso.local
- https://adventureworks.contoso.local
- https://woodgrove.contoso.local
- Tested with SharePoint 2010 RTM
- The fact that I have 2 farms probably doesn’t have anything to do with the issue at hand
To learn about multi-tenancy and how to set it up, which I hope you have done if you are reading this blog post, read Spence Harbar’s excellent post series here: https://www.harbar.net/archive/2010/09/14/rational-guide-to-multi-tenancy-with-sharepoint-2010-part-six.aspx.
The mistake I did was quite simple to reproduce : before creating my tenants (or at least, before linking them to the UPS – see below), I ran a User Profile Services synchronization with Active Directory. The UPS-Sync contains a connection to the contoso.local domain, which in turn synchronizes only the Customers OU and all its child – effectively syncing all customer accounts in a single connection. In this sample, I had 3 accounts for each tenants, and 3 tenants, so a total of 9 accounts were imported.
Connecting a tenant to the UPS is done with the following command (in this example, for AdventureWorks):
$upaProxy = Get-SPServiceApplicationProxy | where-object {$_.DisplayName –eq <<ProxyName>>} Add-SPSiteSubscriptionProfileConfig -id $sub –SynchronizationOU “AdventureWorks” –MySiteHostLocation "https://adventureworks.contoso.local/mysites" -MySiteManagedPath "/mysites/personal" -SiteNamingConflictResolution "None" -ProfileServiceApplicationProxy $upaProxy
If you did a user import profiles before adding the first tenant, the total user count in the user profiles will now be 18!!! You add another tenant and it becomes 27, 36, 45, etc. The worst part is that each tenant can administer all user profiles! Obviously, something’s messed up .
Now the good news is that you simply have to add a single tenant before doing the first user profile import synchronization and you are set to go. In my example, if I simply run a sync after the first tenant, it will only import 3 accounts – effectively taking into account the SynchronizationOU sent with the Add-SPSiteSubscriptionProfileConfig command – even if the connection points to an OU that contains 3 child OUs totalling 9 accounts.
It works very good as long as you create at least one tenant before user profile sync.
Happy tenancy!