From a recent support incident, I stumbled over an interesting thing…
Consider the following:
Your User profile service application and the Profile import and Sync is working like a charm but for some reason, we get bulks of Event warnings in the application log… so we dived into it a bit deeper…
Symptoms
while investigation besides on certmgr.msc console, we noticed multiple certificates, created daily new and in Event application log, we got these errors and warnings each day:
Event ID: 234
Description:
ILM Certificate could not be created: Cert step 2 could not be created: C:Program FilesMicrosoft Office Servers14.0ToolsMakeCert.exe -pe -sr LocalMachine -ss My -a sha1 -n CN=”ForefrontIdentityManager” -sky exchange -pe -in “ForefrontIdentityManager” -ir localmachine -is root
Event ID: 234
Description:
ILM Certificate could not be created: netsh http error:netsh http add urlacl url=http://+:5725/ user=Domainspfarm sddl=D:(A;;GA;;;S-1-5-21-2972807998-902629894-2323022004-1104)
Event ID: 22
Description:
The Forefront Identity Manager Service cannot connect to the SQL Database Server. The SQL Server could not be contacted. The connection failure may be due to a network failure, firewall configuration error, or other connection issue. Additionally, the SQL Server connection information could be configured incorrectly.
Verify that the SQL Server is reachable from the Forefront Identity Manager Service computer. Ensure that SQL Server is running, that the network connection is active, and that the firewall is configured properly. Last, verify the connection information has been configured properly. This configuration is stored in the Windows Registry.
Cause
After some time of research and troubleshooting, it turned out that the cause was the spbackup job!
Each time we perform a SharePoint backup including the user profile service application, right after finishing the backup job, the events are logged and another ForeFront certificate is added into the certificate store.
Reason:
As part of provisioning the ForeFront Identity Manager, a self signed certificate is created for the Computer Account added to the Trusted People certificate store used by the web service on port 5725.
So when we do a SPBackup, the called timerjob reprovisions the same steps as when creating the user profile service initially. Part of this process is creating the certificates by using netshell commands.
Step 1 creates the certificate and step 2 will issue the trust which fails because a signed certificate already exists. This is the reason for the event errors logged as described because there is no check to determine whether a certificate already exists.
Workaround
You can delete the extra certificates in certmgr.msc
To do so, on the Server that hosts the user profile service application, go to “start” and type “mmc.exe” and start the program:
click on the “Add/Remove Snap-In” and then click on “Certificates” as shown below:
once you clicked the “Add” button in the middle, another window appears like this:
if you are on the SharePoint Server that is running the User profile service, choose “Local Computer”, else click “Another computer” and connect to it:
Now select the service accounts as shown below, to connect to “Service account” Forefront identity manager service and repeat the steps for the Forefront Identity manager synchronization service as well:
Repeat all above steps for “My User” and “Computer Account” as well to ensure that you got definitely all duplicated certificates!
Next, Expand each node and check for any Forefront certificates and delete the unnecessary Forefront certificates
You can identify the original or oldest one by opening the certificate, click on tab “Details” and check the “valid from”
More Information
There is no harm on the detected event ID’s 22 and 234 or the multiple creation of the certificates and they can be safely ignored.
Currently it is not planned to get a fix for it as the workaround would have less impact than a code change. But this “issue” although it might be a “non-issue” is reported and maybe will be fixed in any future release or service pack but with no promise. See also KB 2498715.
If there is any change or update to this, I’ll post it here with an update.
Stay tuned, cheers – Steve 😉
Disclaimer: NOTE! This posting is provided “AS IS” with no warranties, and confers no rights.
hi steve,
User profile service application getting below error
the management agent moss userprofile completed run profile with delta import event id 6127
forefront identity manager an existing connection was forcibly closed by remote host event id 3
LikeLike
Purely desire to declare your post is really as shocking. This clarity with your submit is simply wonderful as well as i could truthfully presume you’re an expert within this theme.
LikeLike
Thanks :))
LikeLike
SharePoint 2010 – Event ID 22, 234 and multiple ForeFront certificates – Steve Chen [MSFT] Sr. Support Escalation Engineer – Site Home – TechNet Blogs
LikeLike
SharePoint 2010 – Event ID 22, 234 and multiple ForeFront certificates – Steve Chen [MSFT] Sr. Support Escalation Engineer – Site Home – TechNet Blogs
LikeLike
SharePoint 2010 – Event ID 22, 234 and multiple ForeFront certificates – Steve Chen [MSFT] Sr. Support Escalation Engineer – Site Home – TechNet Blogs
LikeLike
SharePoint 2010 – Event ID 22, 234 and multiple ForeFront certificates – Steve Chen [MSFT] Sr. Support Escalation Engineer – Site Home – TechNet Blogs
LikeLike
SharePoint 2010 – Event ID 22, 234 and multiple ForeFront certificates – Steve Chen [MSFT] Sr. Support Escalation Engineer – Site Home – TechNet Blogs
LikeLike
SharePoint 2010 – Event ID 22, 234 and multiple ForeFront certificates – Steve Chen [MSFT] Sr. Support Escalation Engineer – Site Home – TechNet Blogs
LikeLike
SharePoint 2010 – Event ID 22, 234 and multiple ForeFront certificates – Steve Chen [MSFT] Sr. Support Escalation Engineer – Site Home – TechNet Blogs
LikeLike
SharePoint 2010 – Event ID 22, 234 and multiple ForeFront certificates – Steve Chen [MSFT] Sr. Support Escalation Engineer – Site Home – TechNet Blogs
LikeLike
SharePoint 2010 – Event ID 22, 234 and multiple ForeFront certificates – Steve Chen [MSFT] Sr. Support Escalation Engineer – Site Home – TechNet Blogs
LikeLike
SharePoint 2010 – Event ID 22, 234 and multiple ForeFront certificates – Steve Chen [MSFT] Sr. Support Escalation Engineer – Site Home – TechNet Blogs
LikeLike
SharePoint 2010 – Event ID 22, 234 and multiple ForeFront certificates – Steve Chen [MSFT] Sr. Support Escalation Engineer – Site Home – TechNet Blogs
LikeLike
SharePoint 2010 – Event ID 22, 234 and multiple ForeFront certificates – Steve Chen [MSFT] Sr. Support Escalation Engineer – Site Home – TechNet Blogs
LikeLike
SharePoint 2010 – Event ID 22, 234 and multiple ForeFront certificates – Steve Chen [MSFT] Sr. Support Escalation Engineer – Site Home – TechNet Blogs
LikeLike
SharePoint 2010 – Event ID 22, 234 and multiple ForeFront certificates – Steve Chen [MSFT] Sr. Support Escalation Engineer – Site Home – TechNet Blogs
LikeLike
SharePoint 2010 – Event ID 22, 234 and multiple ForeFront certificates – Steve Chen [MSFT] Sr. Support Escalation Engineer – Site Home – TechNet Blogs
LikeLike
FYI this is not actually a harmless issue. It manifested itself in our environment by the user profile synchronization service refusing to start at all. We had to delete the duplicate certificates as described in your post before the UPS service would start again. Hardly a non-issue!
LikeLike
Hi Steve, in the workaround section I open Cert Manager but don't see any references to service account, computer account or my user account. I can see however many forefront certs in the trusted root cert authority and i reference to the cert in trusted people
LikeLike
Is the assumption that this "workaround" is to be performed every time a backup runs? If we choose to ignore this, then a year from now we go into the cert store won't there be hundreds of these depending on how many backups we've ran?
LikeLike
HI "ac",
I just modified the "workaround" section and added some screenshots to better understand it 😉
Hth, cheers, Steve
LikeLike
Hi Chad,
I'm not aware that this was fixed yet but with the June 2011 CU we released new FIM bits, which may contain this fix besides. (did not verify).
Else, for the spbackup job you can use scripts to delete the dupes after every backup (thats what my customer did).
However, I've never came across that issue again since a while, so I assume it is fixed somehow…
However, the FIM bits itself are supported by another team and I do not get all info from them like I get for SharePoint…
So when you check after backup on a more recent patchlevel and still get the repeatingly created certs, you can open a new Service request and try to get a fix for it.
Sorry, dont have better adds yet,
cheers, Steve
LikeLike