Troubleshoot profile synchronization configuration issues (SharePoint Server 2010)

 

Applies to: SharePoint Server 2010

This article contains tips for solving problems that you may encounter when you configure profile synchronization (profile sync).

Note

This article does not cover issues with starting the User Profile Synchronization service. If you are having problems starting the User Profile Synchronization service, see Troubleshoot User Profile Synchronization Service start issues (SharePoint Server 2010).

In this article:

  • SharePoint Health Analyzer alert: The server farm account should not be used for other services

  • An authentication provider does not appear in the Authentication Provider Instance list

  • Imported user profile data is not displayed in a user's My Site

  • Time-out error occurs when you create a synchronization connection

  • Deleted users still have user profiles

  • Exported properties are not written to the directory service

  • People search cannot find imported user profiles

  • Event ID 3 is logged in the application log

Note

Microsoft periodically releases software updates to fix reported problems. If you do not see your issue described in this article, review the list of software updates to see whether there is a software update that resolves your issue. To see the latest software updates, see Updates for SharePoint 2010 Products (https://go.microsoft.com/fwlink/p/?LinkId=160585).

SharePoint Health Analyzer alert: The server farm account should not be used for other services

The following alert appears in the SharePoint Health Analyzer:

<FarmAccount>, the account used for the SharePoint timer service and the central administration site, is highly privileged and should not be used for any other services on any machines in the server farm. The following services were found to use this account: User Profile Synchronization Service (Windows Service).

This message can be ignored. The User Profile Synchronization Service must run as the farm account.

An authentication provider does not appear in the Authentication Provider Instance list

When you create a profile synchronization connection for a directory service and you are not using Windows authentication, you must specify the authentication provider type and the authentication provider instance to use. The Authentication Provider Instance list should display all authentication providers that match the specified authentication provider type. If the list does not include the appropriate authentication provider, it could be because of one of the following reasons.

There are no Web applications that use the authentication provider

In addition to the Central Administration Web application, there must be at least one Web application that is configured to use the authentication provider. Create a Web application that uses the authentication provider and then try to create the profile synchronization connection. For more information about creating Web applications, see Create a Web application (SharePoint Server 2010).

The authentication provider is not set up correctly

Verify that the authentication provider is set up correctly, based on which of the following authentication methods you are using:

  • Forms-based authentication

    The Web.Config file of the Central Administration Web site is one of the places wherein the membership information of the forms-based authentication providers is stored. SharePoint Server examines the Central Administration Web.Config file to determine the list of available authentication providers. Review your Central Administration Web.Config file to confirm that it has the correct membership provider and role manager settings. In particular, verify the following settings in the Web.Config file:

    • The port attribute specifies the port that is used to connect to the directory service. Confirm with your directory service administrator that you are using the correct port.

    • The userNameAttribute attribute specifies the name of the attribute in the directory service that serves as the unique identifier of each profile. Confirm with your directory service administrator that you are using the correct user name attribute.

    For more information about how to set up forms-based authentication, see Configure forms-based authentication for a claims-based Web application (SharePoint Server 2010).

  • SAML token-based authentication

    Using Security Assertion Markup Language (SAML) token-based authentication with profile synchronization requires the following:

    • A trusted identity provider that uses SAML tokens.

    • A My Sites Web application that is configured to use the trusted identity provider.

    For more information about how to set up SAML token-based authentication, see Configure authentication using a SAML security token (SharePoint Server 2010) and Configuring SharePoint 2010 and ADFS v2 End to End (https://go.microsoft.com/fwlink/p/?LinkId=207629).

Imported user profile data is not displayed in a user's My Site

When users access their My Site, their user account is associated with a corresponding user profile in SharePoint Server and the imported user profile data should be appear in their My Site. In claims-based Web applications, SharePoint Server uses the Claim User Identifier property (SPS-ClaimID) to match an authenticated user to the correct user profile. If the SPS-ClaimID is not mapped to the directory service attribute that you want to use as the user identifier, when a user is authenticated, he or she is not matched to the correct user profile and will not see the imported user profile data.

To resolve this issue, map the SPS-ClaimID property to the directory service attribute that uniquely identifies the user and then start a full profile synchronization. For example, if you are using a trusted identity provider for authentication that uses the e-mail address as the identity claim, map the SPS-ClaimID property to the mail attribute. For more information about mapping profile properties, see Map user profile properties in "Configure profile synchronization".

Time-out error occurs when you create a synchronization connection

A time-out error occurs when creating or editing a synchronization connection by using the Add/Edit a synchronization connection page in Central Administration.

The following table describes the time-outs and their default values.

Time-out setting Default value

Connect to the directory service server

Note

This time-out setting is available in the Microsoft SharePoint Server 2010 June 2010 Cumulative Update. For more information, see https://support.microsoft.com/kb/983497.

120 seconds

Populate containers

1000 seconds (almost 17 minutes)

Save a synchronization connection

300,000 milliseconds (5 minutes)

To resolve this issue, increase the appropriate profile synchronization time-out setting. For more information, see the Adjust profile synchronization time-outs section in the "Maintain profile synchronization" topic.

Deleted users still have user profiles

Users that are deleted in the directory service still have a user profile in SharePoint Server. This issue can be caused by one of the following reasons.

The My Site Cleanup Job is not active

By default, the My Site Cleanup Job is enabled and runs hourly. When the My Site Cleanup job runs, it looks for all users who are marked for deletion and deletes their profiles. An e-mail message is also sent to the manager with a link to the deleted user’s site. The e-mail message contains a request to the manager to move any documents or data that the manager wants to preserve, because the site might be deleted in the future. Verify that the My Site Cleanup Job is active. For more information about timer jobs, see Manage timer jobs in "Timer Job Reference".

The User Profile Service application does not have a My Site Host configured

The My Site Cleanup Job requires that the User Profile Service application has a My Site Host configured. This is required even if you do not plan to use My Sites. If a My Site Host is not configured, the profiles marked for deletion will never be deleted by the My Site Cleanup Job. For more information about how to configure a My Site Host, see the To configure My Site settings for the User Profile Service Application section of the "Set Up My Sites" topic.

The obsolete users were not imported by using profile synchronization

Sometimes the user profiles in SharePoint Server can include users that were not imported by using profile synchronization. This can occur, for example, if you upgraded from an earlier version of SharePoint Server and chose to only synchronize a subset of domains with SharePoint Server 2010. You can use Windows PowerShell to remove the obsolete users. For more information, see the Remove obsolete users and groups section of the "Maintain profile synchronization" topic.

Exported properties are not written to the directory service

User profile data is written to a directory service when you create an export mapping for a user profile property. If user profile properties are imported correctly but are not exported to the directory service, you can try the following:

  • Verify that the synchronization account has the necessary permissions. The synchronization account is the account that is used to access the directory service and synchronize profile information between SharePoint Server and the directory service. You specify this account when you create the synchronization connection. For certain directory services, additional permissions may be required to write data back to the directory service. Review the permissions information in the Grant account permissions section of the "Configure profile synchronization" topic.

  • If you changed the direction of a property mapping (that is, you deleted the import mapping and then added an export mapping), a full synchronization is required for properties to be exported to the directory service. For more information, see the Start the User Profile Synchronization service section in the "Configure profile synchronization" topic.

People search cannot find imported user profiles

People search enables users to find other people in the organization. The imported user profiles must be crawled before people search can work correctly. The following issues can prevent people search from finding the imported user profiles:

  • The account that is used to crawl user profiles (that is, the crawl account) does not have permission to the User Profile Service application.

    The crawl account must have the Retrieve People Data for Search Crawlers permission on the User Profile Service application. For more information about how to give an account permission to the User Profile Service application, see Assign administration of User Profile service features (SharePoint Server 2010).

    To give the crawl account permission to the User Profile Service application

    1. Verify that you have the following administrative credentials:

      • You must be a member of the Farm Administrators group.
    2. On the Central Administration Web site, in the Application Management section, click Manage service applications.

    3. On the Manage Service Applications page, click the row that contains the User Profile Service application.

    4. On the Service Applications tab, in the Operations section, click Administrators.

    5. In the text box, type the crawl account and then click Add.

    6. In the Permissions for <account> box, select Retrieve People Data for Search Crawlers, and then click OK.

  • The content source does not have the correct URL for the user profiles location.

    The Search Service application must know the location of the user profiles. Verify that the URL is correct.

    Note

    If you are using a crawl rule to crawl user profiles, verify that the URL in the crawl rule is correct. For more information about crawl rules, see Manage crawl rules (SharePoint Server 2010).

    To verify the URL that is used to crawl user profiles

    1. Verify that you have the following administrative credentials:

      • You must be an administrator for the Search service application.
    2. On the Central Administration Web site, in the Application Management section, click Manage service applications.

    3. On the Manage Service Applications page, click Search Service Application.

    4. On the Search Administration page, on the Quick Launch, in the Crawling section, click Content sources.

    5. On the Manage Content Sources page, right-click Local SharePoint sites, and then click Edit.

    6. In the Start Addresses section, look for a URL that begins with sps3://. This is the URL that is used to crawl user profiles.

      The sps3:// URL is in the form sps3://<hostname>, where <hostname> is the host name of the Web application for the User Profile Service application.

      Note

      If the Web application is configured to use Secure Sockets Layer (SSL), the URL must be in the form sps3s://<hostname>.

Event ID 3 is logged in the application log

This issue occurs if the Microsoft SharePoint Server 2010 August 2010 Cumulative Update is installed after the User Profile Service application was created and the User Profile Synchronization service was started.

These errors should not affect the functionality of the profile synchronization feature, and can be ignored. If you want to eliminate these errors, you must delete and re-create the User Profile Service application. For more information about this issue, see https://support.microsoft.com/kb/2432041.

Acknowledgements

The SharePoint Server 2010 Content Publishing team thanks Spencer Harbar, Enterprise Architect, for contributing to this article. His blog can be found at http://www.harbar.net.

See Also

Concepts

User Profile Service troubleshooting
Configure profile synchronization (SharePoint Server 2010)
Plan for profile synchronization (SharePoint Server 2010)
Manage profile synchronization (SharePoint Server 2010)
Configure a profile synchronization connection in SharePoint Server 2010 (video)
Configure a synchronization connection to a SQL Server database in SharePoint Server 2010 (video)