Role Synchronization failed for a user account (Duet Enterprise 2.0)

 

Applies to: Duet Enterprise for Microsoft SharePoint and SAP Server 2.0

**Summary:**Learn how to resolve an issue where role synchronization fails for a particular user account.

Summary

The Role Synchronization (RoleSync) solution included with Duet Enterprise for Microsoft SharePoint and SAP Server 2.0 enables SharePoint administrators to synchronize the SAP roles property that is stored in the SAP profile store with SharePoint user profiles. After role synchronization is performed, users can use SharePoint People Picker to grant permissions on any securable object in SharePoint, such as sites, lists, and files.

After new user accounts are added to Active Directory Domain Services (AD DS), the SAP system must synchronize with AD DS to discover the new user accounts. Then an SAP administrator can create an SAP user account for those AD DS users and associate an SAP role with them. If a user profile is created in SharePoint for the new users before the next Role Synchronization job is run on the SharePoint farm, the SAP role assigned to the new user accounts will be synchronized with the SharePoint User Profile Store.

However, if this synchronization job occurs before the user account has been added to SharePoint, either using SharePoint User Profile Synchronization or adding the user profile manually, then the Role Synchronization job is unable to locate the user profile. If this occurs, SharePoint will log an event for the administrator and proceed with synchronizing SAP roles for other user profiles. Future incremental synchronization jobs will also fail to synchronize the roles for the newly added users even after a user profile has been created in SharePoint for the new user.

Resolution

To resolve this issue, run a profile synchronization job.

Note

You must be a member of the Farm Administrators group to complete this procedure.

Before you start this procedure, ask the SAP administrator to ensure that the "Synchronize roles to consumers" job has finished running on the SAP system.

The SAP administrator must run the "Synchronize roles to consumers" job periodically to synchronize the user roles on the SAP system with the SAP profile store on the server that is running SAP NetWeaver. We recommend that you do not synchronize the SAP user profile store with the SharePoint user profile store until the SAP administrator has completed the synchronization job. Otherwise, the synchronization job between the SAP profile store and the SharePoint user profile store can take much longer to complete. Also, recently added users might not be synchronized. Note that the "Synchronize roles to consumers" job takes approximately 80 minutes to synchronize 100,000 users, while synchronizing the profile store in SAP NetWeaver to the SharePoint user profile store takes approximately 100 minutes to synchronize 100,000 users.

To run a full synchronization job

  1. In Central Administration, on the Quick Launch, click Monitoring.

  2. On the Monitoring page, in the Timer Jobs section, click Review job definitions.

  3. On the Job Definitions page, in the Title column, click the Duet Enterprise Profile Synchronization for <User profile service application name> link.

    Where <User Profile service application name> is the name of the User Profile service application that you are using for role synchronization.

    Tip

    If you have only one User Profile service application, by default this name is Duet Enterprise Profile Synchronization for User Profile Service Application.

  4. On the Edit Timer Job page, click Run Now.

For more information about SharePoint timer jobs, see View timer job status in SharePoint 2013.