Jaa


SharePoint 2010: Unable to start the User profile synchronization service

Its been commonly observed that working with User profile service application is one of the pain areas of SharePoint 2010. Most of the time, it fails with starting the User profile synchronization service from Central administration site. I was recently working with an issue where the user profile synch service fails to start and it gives the very common error message in the SharePoint ULS logs (as below)

User Profile Application Proxy failed to retrieve partitions from User Profile Application: Microsoft.Office.Server.UserProfiles.UserProfileApplicationNotAvailableException: No User Profile Application available to service the request. Contact your farm administrator.
at Microsoft.Office.Server.Administration.UserProfileApplicationProxy.get_ApplicationProperties()
at Microsoft.Office.Server.Administration.UserProfileApplicationProxy.get_PartitionIDs()
at Microsoft.Office.Server.Administration.UserProfileApplicationProxy.IsAvailable(SPServiceContext serviceContext

By raising the logging level to verbose, we could observe the following error as well.

Exception occured while connecting to WCF endpoint: System.ServiceModel.CommunicationException: The server did not provide a meaningful reply; this might be caused by a contract mismatch, a premature session shutdown or an internal server error. Server stack trace:
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message) Exception rethrown
at [0]:
at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
at Microsoft.IdentityModel.Protocols.WSTrust.IWSTrustContract.Issue(Message message)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst, RequestSecurityTokenResponse& rstr)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst)
at Microsoft.SharePoint.SPSecurityContext.SecurityTokenForContext(Uri context, Boolean bearerToken, SecurityToken onBehalfOf, SecurityToken actAs, SecurityToken delegateTo)
at Microsoft.SharePoint.SPSecurityContext.<>c__DisplayClass7.<GetProcessSecurityTokenForServiceContext>b__6()
at Microsoft.SharePoint.Utilities.SecurityContext.RunAsProcess(CodeToRunElevated secureCode)
at Microsoft.SharePoint.SPSecurityContext.GetProcessSecurityTokenForServiceContext()
at Microsoft.SharePoint.SPChannelFactoryOperations.CreateChannelAsProcess[TChannel](ChannelFactory`1 factory, EndpointAddress address, Uri via)
at Microsoft.SharePoint.SPChannelFactoryOperations.CreateChannelAsProcess[TChannel](ChannelFactory`1 factory, EndpointAddress address)
at Microsoft.Office.Server.UserProfiles.MossClie

Cause

The authentication for security token service in IIS had "Forms" and "ASP.NET impersonation" enabled. This was preventing the user’s identity to be passed to the security token service and the token service was unable to generate tokens properly.

Resolution

Open up the IIS Manager on the SharePoint server

  • Expand “Sites”
  • Expand “SharePoint Web Services” and select “SecurityTokenServiceApplication”
  • Double click on “Authentication”(under IIS)
  • Disable “Forms Authentication” and ASP.NET impersonation 
  • Confirm that only Windows and Anonymous Authentication are enabled
  • IISRESET 

1

During the course of troubleshooting we initially suspected the database corruption may be an issue . Verified the DB permissions and created anew configuration DB . That did not resolve the issue . Later we found that even though we can create other service application s(like mms and search service application) , we are unable to access them . Most of them were related to security and that made us suspect "security token service application"

To clarify the above , we tested the security token service application by running the rule

Central administration site -> Monitoring ->review rule definitions ->"The security token service is not available" (under availability)

rule

This shows the below errors in in the system event viewer :

Log Name: Application
Source: Microsoft-SharePoint Products-SharePoint Foundation
Event ID: 8306
Task Category: Claims Authentication
Level: Error
Description:
An exception occurred when trying to issue security token: The server did not provide a meaningful reply; this might be caused by a contract mismatch, a premature session shutdown or an internal server error..
Event Xml:
<Event xmlns="https://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-SharePoint Products-SharePoint Foundation" Guid="{6FB7E0CD-52E7-47DD-997A-241563931FC2}" />
<EventID>8306</EventID>
<Version>14</Version>
<Level>2</Level>
<Task>47</Task>
<Opcode>0</Opcode>
<Keywords>0x4000000000000000</Keywords>
<TimeCreated SystemTime="2011-02-01T20:08:31.889137200Z" />
<EventRecordID>178223</EventRecordID>
<Correlation ActivityID="{E47AD4F2-E51A-49A2-BAB2-E22243297CEC}" />
<Execution ProcessID="1072" ThreadID="5060" />
<Channel>Application</Channel>
<Computer>FQDN of computer</Computer>
<Security UserID="S-1-5-21-1037773150-1901201615-623648099-663347" />
</System>
<EventData>
<Data Name="string0">The server did not provide a meaningful reply; this might be caused by a contract mismatch, a premature session shutdown or an internal server error.</Data>
</EventData>
</Event>

Log Name: Application
Source: Microsoft-SharePoint Products-SharePoint Foundation
Event ID: 2138
Task Category: Health
Level: Warning
Description:
The SharePoint Health Analyzer detected a condition requiring your attention. The Security Token Service is not available.
The Security Token Service is not issuing tokens. The service could be malfunctioning or in a bad state.
Administrator should try to restart the Security Token Service on the boxes where it is not issuing tokens. If problem persists, further troubleshooting may be available in the KB article. For more information about this rule, see "https://go.microsoft.com/fwlink/?LinkID=160531".
Event Xml:
<Event xmlns="https://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-SharePoint Products-SharePoint Foundation" Guid="{6FB7E0CD-52E7-47DD-997A-241563931FC2}" />
<EventID>2138</EventID>
<Version>14</Version>
<Level>3</Level>
<Task>8</Task>
<Opcode>0</Opcode>
<Keywords>0x4000000000000000</Keywords>
<TimeCreated SystemTime="2011-02-01T20:51:16.683910600Z" />
<EventRecordID>180549</EventRecordID>
<Correlation ActivityID="{6212567F-596F-42CD-BEDC-2F77864FA2D9}" />
<Execution ProcessID="1832" ThreadID="4180" />
<Channel>Application</Channel>
<Computer>FQDN of computer</Computer>
<Security UserID="S-1-5-21-1037773150-1901201615-623648099-663347" />
</System>
<EventData>
<Data Name="string0">The Security Token Service is not available.
The Security Token Service is not issuing tokens. The service could be malfunctioning or in a bad state.
Administrator should try to restart the Security Token Service on the boxes where it is not issuing tokens.

OR

“An error occurred while receiving the HTTP response to https://localhost:32843/SecurityTokenServiceApplication/securitytoken.svc. This could be due to the service endpoint binding not using the HTTP protocol. This could also be due to an HTTP request context being aborted by the server (possibly due to the service shutting down). See server logs for more details.”

Comments

  • Anonymous
    January 01, 2003
    i get this error only when the web application is been access for the first time after restarting IIS. i Checked my IIS setting and it was already configured they way it was asked in this article. In one another article the solution was to check that Under IIS 7 > Sites > SharePoint Web Services > Authentication > Windows Authentication (enabled) > Advanced Settings > Kernal-mode authentication is selected. This was already checked in my IIS. MS released a hotfix support.microsoft.com/.../2465996, while i have Feb/March updated installed. is there any solution?

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    Terrible!!! Thank you very much! I have broken my mind! First of all, please, check account permissions! Solution solved my problem! Thank you very much!

  • Anonymous
    January 01, 2003
    Hi Mohit, could you please be a little more specific ? do you see this issue only once after iisreset? do you see the message in the ULS logs and event viewer? is there any other impact that you could observe ?

  • Anonymous
    February 10, 2011
    Especially useful article. Myself & my neighbor were preparing to do some research about that. We got a superb book on that matter from our local library and most books were not as descriptive as your information. I am incredibly glad to see such information which I was searching for a long time. <a href="http://www.seeksadmin.com">server administration</a>

  • Anonymous
    July 09, 2011
    Thank you so very much for fixing my problem!! :-)

  • Anonymous
    September 12, 2011
    The comment has been removed

  • Anonymous
    September 21, 2011
    The comment has been removed

  • Anonymous
    May 21, 2013
    Guys, Facing same issue, but this time with SharePoint 2013. None of the above resolve it. can anyone please suggest me something else ? Thanks in advance...

  • Anonymous
    May 30, 2013
    Hai, I have a issue it is possible to send a mail to the security group "without" enable Email.It is possible ? if it is possible please share me any information regards this issue. thanks in advance, suresh

  • Anonymous
    December 10, 2013
    thanks a million. worked like a charm

  • Anonymous
    October 15, 2015
    Having had a very similar problem, along with many other associated problems, which put my work at an altogether unacceptable, extended standstill, I decided to post the resolution I found to as many forums relating to this issue that I could.
    The resolution that I found was one of two things that I did at the same time. (duh – not a smart tactic, but I was getting desperate…) I am not willing to spend the time to isolate the effects of each of these motions, so it could be one, or the other, or both.
    1. I noticed that SharePoint was moving the Farm Account Security Managed Account (The user account that Farm Account uses for credentials) from the Administrators group, to the WSS_ADMIN_WPG group. In my case Central Admin was being run on the same machine as the SharePoint Server. I run a single server developer environment. So the Farm Account needed “Log on Locally” privileges. WSS_ADMIN_WPG group did not appear to have the needed privilege, where the Administrators group did. Strangely enough though, the Administrators group is a member of the WSS_ADMIN_WPG group. So I moved the above mentioned user account back into the Administrators group.
    Let me know if I’m not seeing something here….
    2. Upon examining the SecurityTokenServiceApplicationPool (the name I gave for the Security Token Service’s Application Pool), I notice that the Enable 32-bit Applications setting under the Advanced Settings had been set to True. This to me was strange as I remembered installing the 64 bit versions of everything, because the Server machine on which I was working was indeed 64 bit. So I set it to False.
    After those two simple motions I did all the familiar and necessary things to be done to make sure that the system and SharePoint was running with all the latest settings and tried what I had been doing once again, and to my amazement and shock (after having tried everything on the internet several times each) it worked! I am now happily moving forward in my work! At least until the next roadblock comes along.
    Weird, dumb and stupid, what were the chances? Maybe it will be worth a quick look for you.