SharePoint : User profile Sync Service Stuck at starting , at Configuring certificates step .
Seen this in couple of Scenarios where stating the UserProfile Sync service is stuck on starting as seen from Central Admin . Looking at the ULS logs filtered on Category ="User Profiles" we can see the ILM configuration step last being executed is Tag 9q1h : ILM Configuration: Configuring certificate.
ULS Log Expert
-------------------------------------
OWSTIMER.EXE SharePoint Portal Server User Profiles 9i1s Medium UserProfileApplication.SynchronizeMIIS: Begin setup for 'UPA1'.
OWSTIMER.EXE SharePoint Portal Server User Profiles g4bo High ILM Configuration: The ValidateMiisEncryptionKey process returned True.
OWSTIMER.EXE SharePoint Portal Server User Profiles 9i1x Medium ILMPostSetupConfiguration: ILM Configuration: Validating installation of SQL Service.
OWSTIMER.EXE SharePoint Portal Server User Profiles 9i1y Medium ILM Configuration: Validating account.
OWSTIMER.EXE SharePoint Portal Server User Profiles 9i20 Medium ILM Configuration: Validating the system groups
OWSTIMER.EXE SharePoint Portal Server User Profiles 9i23 Medium ILM Configuration: Setting up WMI
OWSTIMER.EXE SharePoint Portal Server User Profiles 9i24 Medium ILM Configuration: Setting required permissions
OWSTIMER.EXE SharePoint Portal Server User Profiles 9i26 Medium ILM Configuration: Create install config file
OWSTIMER.EXE SharePoint Portal Server User Profiles 9i28 Medium ILM Configuration: Update source project
OWSTIMER.EXE SharePoint Portal Server User Profiles 9i29 Medium ILM Configuration: Changing service account credentials
OWSTIMER.EXE SharePoint Portal Server User Profiles d3bo Medium ILM Configuration: Setting policy for service account
OWSTIMER.EXE SharePoint Portal Server User Profiles 9i2a Medium ILM Configuration: Configuring database
OWSTIMER.EXE SharePoint Portal Server User Profiles 9i2b Medium ILM Configuration: Re-starting mms service
OWSTIMER.EXE SharePoint Portal Server User Profiles 9i2d Medium LM Configuration: Checking mms service
OWSTIMER.EXE SharePoint Portal Server User Profiles 9q1e Medium ILM Configuration: Configuring XML file
OWSTIMER.EXE SharePoint Portal Server User Profiles 9q1f Medium ILM Configuration: Checking for existing FIM database
OWSTIMER.EXE SharePoint Portal Server User Profiles 9q1h Medium ILM Configuration: Configuring certificate.
During this Step we provision the certificates used by the Forefront Identity manager . Here is how this certificate looks like .
At times due to multiple provision attempts to Sync service we may end up seeing multiple certs in the Local computer store of Certificate manager & this some times leads to sync service getting stuck at this step & the provisioning process even if retried starts & gets stuck again at this step ,
The Solution to fix this is to remove all the copies the ForeFrontIdentityManager Certificate from all the containers of Certificate Store (Local Computer). Including the Personal Store
Recycle the Sharepoint Timer Service & try to provision the User Profile Synchronization service again & you should see this move forward from that step , unless we get into other issues of Certificate creation itself.
POST BY :Rajan Kapoor [MSFT]
Comments
Anonymous
August 27, 2015
You sometimes miss a certificate, to make sure nothing is left behind, you can use this: set-location cert: Get-ChildItem localmachine -recurse | where {$_.Subject -like "ForeFrontIdentityManager"} You can add "| Remove-Item -DeleteKey" at the end to remove them by the script itself but manual is preferred.Anonymous
August 28, 2015
I've seen a similar case recently where next to these steps, I also needed to clear the SharePoint config cache files after doing all this to get it to provision correctly again.Anonymous
September 02, 2015
Thanks Filip , This is good Info & helpful . Thanks for sharingAnonymous
May 18, 2016
Cheers, I kept unprovisioning the UPS after it not starting , AND removed all the extra certs from the trusted root.... BUT the trick for me was your comment about "All Folders" i had 2 certs in the personal folder . Removed those recycle timer service , Restart UPS sync. All working. Cheers Raj