From a recent support incident, I stumbled over an interesting thing…
Consider the following:
Your User profile service application and the Profile import and Sync is working like a charm but for some reason, we get bulks of Event warnings in the application log… so we dived into it a bit deeper…
while investigation besides on certmgr.msc console, we noticed multiple certificates, created daily new and in Event application log, we got these errors and warnings each day:
Event ID: 234
ILM Certificate could not be created: Cert step 2 could not be created: C:Program FilesMicrosoft Office Servers14.0ToolsMakeCert.exe -pe -sr LocalMachine -ss My -a sha1 -n CN=”ForefrontIdentityManager” -sky exchange -pe -in “ForefrontIdentityManager” -ir localmachine -is root
Event ID: 234
ILM Certificate could not be created: netsh http error:netsh http add urlacl url=http://+:5725/ user=Domainspfarm sddl=D:(A;;GA;;;S-1-5-21-2972807998-902629894-2323022004-1104)
Event ID: 22
The Forefront Identity Manager Service cannot connect to the SQL Database Server. The SQL Server could not be contacted. The connection failure may be due to a network failure, firewall configuration error, or other connection issue. Additionally, the SQL Server connection information could be configured incorrectly.
Verify that the SQL Server is reachable from the Forefront Identity Manager Service computer. Ensure that SQL Server is running, that the network connection is active, and that the firewall is configured properly. Last, verify the connection information has been configured properly. This configuration is stored in the Windows Registry.
After some time of research and troubleshooting, it turned out that the cause was the spbackup job!
Each time we perform a SharePoint backup including the user profile service application, right after finishing the backup job, the events are logged and another ForeFront certificate is added into the certificate store.
As part of provisioning the ForeFront Identity Manager, a self signed certificate is created for the Computer Account added to the Trusted People certificate store used by the web service on port 5725.
So when we do a SPBackup, the called timerjob reprovisions the same steps as when creating the user profile service initially. Part of this process is creating the certificates by using netshell commands.
Step 1 creates the certificate and step 2 will issue the trust which fails because a signed certificate already exists. This is the reason for the event errors logged as described because there is no check to determine whether a certificate already exists.
You can delete the extra certificates in certmgr.msc
To do so, on the Server that hosts the user profile service application, go to “start” and type “mmc.exe” and start the program:
click on the “Add/Remove Snap-In” and then click on “Certificates” as shown below:
once you clicked the “Add” button in the middle, another window appears like this:
if you are on the SharePoint Server that is running the User profile service, choose “Local Computer”, else click “Another computer” and connect to it:
Now select the service accounts as shown below, to connect to “Service account” Forefront identity manager service and repeat the steps for the Forefront Identity manager synchronization service as well:
Repeat all above steps for “My User” and “Computer Account” as well to ensure that you got definitely all duplicated certificates!
Next, Expand each node and check for any Forefront certificates and delete the unnecessary Forefront certificates
You can identify the original or oldest one by opening the certificate, click on tab “Details” and check the “valid from”
There is no harm on the detected event ID’s 22 and 234 or the multiple creation of the certificates and they can be safely ignored.
Currently it is not planned to get a fix for it as the workaround would have less impact than a code change. But this “issue” although it might be a “non-issue” is reported and maybe will be fixed in any future release or service pack but with no promise. See also KB 2498715.
If there is any change or update to this, I’ll post it here with an update.
Stay tuned, cheers – Steve 😉
Disclaimer: NOTE! This posting is provided “AS IS” with no warranties, and confers no rights.