Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Symptom
Under certain condition, you may see this error message when you try to start the FIM Synchronization Service:
UserProfileApplication.SynchronizeMIIS: Failed to configure ILM, will attempt during next rerun. Exception: System.Security.SecurityException: There are currently no logon servers available to service the logon request. at System.Security.Principal.WindowsIdentity.KerbS4ULogon(String upn) at
System.Security.Principal.WindowsIdentity..ctor(String sUserPrincipalName, String type) at System.Security.Principal.WindowsIdentity..ctor(String sUserPrincipalName) at Microsoft.IdentityManagement.SetupUtils.IlmWSSetup.GetDomainAccountSIDHexString(String domainName, String accountName) at
Microsoft.IdentityManagement.SetupUtils.IlmWSSetup.GrantSQLRightsToServiceAccount() at Microsoft.IdentityManagement.SetupUtils.IlmWSSetup.IlmBuildDatabase() at Microsoft.Office.Server.UserProfiles.Synchronization.ILMPostSetupConfiguration.ConfigureIlmWebService(Boolean existingDatabase) at
Microsoft.Office.Server.Administration.UserProfileApplication.SetupSynchronizationService(ProfileSynchronizationServiceInstance profileSyncInstance) The Zone of the assembly that failed was: MyComputer.
Cause
The reason is related to Kerberos and is a little bit difficult to explain (as always with Kerberos !). I try to make the most simple possible:
OWSTIMER process tries to get a service ticket for itself (a TGS with Sname/SPN = the OWSTIMER account) that contains information about itself (this is called S4U2Self).
However, a security feature introduced in Windows Server 2003 prevents the KDC to distribute a TGS for an account that does not have a SPN defined, as explained in this technet article (https://technet.microsoft.com/fr-fr/library/cc772815(WS.10).aspx):
“Additionally, in Windows Server 2003, KDCs will not issue a service ticket for an account that does not have an SPN. If a service account were simply a user account with a human-generated password, then that account would be more vulnerable to an offline dictionary attack. For an account without an SPN, the KDC will return KDC_ERR_S_PRINCIPAL_UNKNOWN. However, the context of the error will be KRB_ERR_MUST_USE_USER2USER, which has the description of "Server principal valid for user-to-user only.""”
Resolution
It is very easy to fix, all you need is to add a fake SPN, whatever it is, to the OWSTimer account, so that KDC will allow to distribute a ticket for that account. For example:
setspn –a NONE/NONE OWSTimerAccount
Then you can successfully start your service !
Comments
Anonymous
June 23, 2011
Many Thanks for sharing this, I had the same issue and you're suggestion worked! I added some further information to my blog entry regarding this www.paulgrimley.com/.../user-profile-synchronization-service.html.Anonymous
May 27, 2012
I am using same command in power shell but says Unknown parameter NONE/NONE. Please check your usage.Anonymous
February 25, 2014
If you copy & paste the 'setspn –a NONE/NONE OWSTimerAccount ' you'll get the unknown parameter. Get rid of the hyphen '-' and type it in. That fixed it for me.