Solving Creating Certificate with User Profile Synchronization Service

​While you are provisioning UPA, you may run into issues starting the User Profile Synchronization Service (UPSS), or the UPSS is stuck on “starting”.

There are few article that greatly explain on how to create UPA and UPSS, such at this TechNet article, or many great articles to debug issues with UPA such as this article: http://www.harbar.net/articles/sp2010ups2.aspx.

In my case, I have configured many UPSS and I have ran into some issues where I was able to resolve. The latest issue I encountered was pretty puzzling, and it took me few days to resolve it.

My UPSS will stop couple of minute after starting it.  I will always get the Certificate creation errors:

  1. In the event logs, I get: ILM Certificate could not be created: netsh http error:netsh http add urlacl url=http://+:5726/
  2. Looking at the ULS logs, I got ‘ERR_SERVICE_NOT_INSTALLED’ ILMPostSetupConfiguration: ILM Configuration: Validating installation of SQL Service FAILED

I have tried everything, including this great post http://henrikfromsweden.blogspot.ca/2011/01/solving-configuring-certificate-hang.html, but nothing worked.

In my case, I am not using any SQL named instances, I have deleted all the FIM certificates, deleted the UPA, restarted the server, and gone through the possible steps detailed in many articles with no luck.

Finally, I noticed the farm account has not been added to the WSS_WPG and WSS_Admin_WPG groups, even though the steps of adding them have been successfully completed based on the ULS logs. This triggered a good question. I tried manually adding the farm account to the groups, but sure enough few seconds later they disappeared. AHA!!! There was an AD policy preventing any configuration service or user to add any account to a local group. After a quick modification to the AD policy, I deleted all the certificates, deleted the UPA, restarted the server and recreated UPA and UPSS and sure enough everything worked without hiccups.

If you run into similar issues and you have exhausted all the possible fixes, double check your AD and GPO policies to make sure they are not reverting back changes made by the timer services job.

  • Wednesday, July 17, 2013 By : Mike Maadarani    0 comment