For us, identity is such a big piece of work so we wanted to centralise the whole import and transform process with a publishing and consuming farm topology. We import users from Active Directory here and also supplement the profiles with additional data from third party databases and LOB systems such as Oracle databases, JD Edwards and other custom identity solutions.
Sure there are other methods of achieving this, but we didn’t want to litter our other farms with the User Profile Service Application and then use the User Profile Replication Engine (http://technet.microsoft.com/en-us/library/cc663011.aspx) which comes with the SharePoint 2010 Administration Toolkit (http://technet.microsoft.com/en-us/library/cc508849.aspx). There’s extra storage to consider based on the service application per user profile and also the extra administrative overhead but you might still want to have a look into it. All I’m saying is, it wasn’t right for us.
I’ve been pulling my hair out for the last several days and thought I would share some of the knowledge to save people out from that same bizarre issues that I’ve come across. So here we go.
Scenario:
You have two SharePoint Server 2010 farms, one Enterprise (Publishing) and one Collaborative (Consuming) farm. On the Enterprise farm you have your User Profile Service Application that you are publishing to any consuming farms. Your end users are accessing sites on the consuming farm for their collaborative sites as well as their My Sites.
Problems:
Some of the problems that I encountered along were as follows, each one of these pretty much has an associated fix.
• When the end user searches for any colleagues in the collaborative farm they only see data that has been presented in Active Directory without any supplemented details from the User Profile Application (UPA).
• When you add a user to your site you don’t received supplemented details such as About Me.
• When you create a My Site on your collaborative farm you receive the following errors;
- Could not load user profile.
- There has been an error creating the personal site. Contact your site administrator for more information.
- You do not have permissions to have lists and pages within My Site.
Problem 1:
• When the end user searches for any colleagues in the collaborative farm they only see data that has been presented in Active Directory without any supplemented details from the User Profile Application (UPA).
• When you add a user to your site you don’t received supplemented details such as About Me.
Solution:
When you publish the UPA you need to ensure the each Web Application Pool ID of the consuming farms Web Apps is present. What that means is, each Web App that will need to access the UPA on the publishing farm, that App Pool ID needs to be present in the Publishing Permissions as Full Control. Now this is where I ran into issues, I also had to add these consuming App Pool IDs to UPA Administrators on the publishing farm.
Here is another gotcha, not sure if it’s just our environment or what but our consuming Pre Production and Production farms still did not fire off the Connection to: ……….. User Profile to SharePoint Full Synchronization or Connection to: ……….. User Profile to SharePoint Quick Synchronization timer jobs successfully. If you turn up ULS logging to Verbose look for an event omvh which should be the timer job kicking off the sync job and look for any exceptions that might appear. We didn’t see any of these timer jobs running so we had to manually kick them into life and it worked.
Just for the interested, if you don’t have your Application Pool IDs in both the UPA Administrators and Permissions you’ll be able to observe the following behaviour. Prior to me adding the IDs I was seeing an Access Denied in the Microsoft Service Trace Viewer (
http://msdn.microsoft.com/en-us/library/ms732023.aspx) service tracer of the Profile Web Service.
Basic Information
Activity Name Process action ‘http://Microsoft.Office.Server.UserProfiles/GetProfileProperties’.
Time 2010-09-23 01:09:36.3123
Level Error
Source System.ServiceModel
Process w3wp
Thread 32
Computer XXXXXXXX
Trace Identifier/Code http://msdn.microsoft.com/en-GB/library/System.ServiceModel.Diagnostics.ThrowingException.aspx
Exception
System.ServiceModel.FaultException, System.ServiceModel, Version=3.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
Message
Access is denied.
To get your trace simply open up the web.config, make sure you back it up first, in C:\Program Files\Microsoft Office Servers\14.0\WebServices\Profile and go to <system.diagnostics>. You’ll notice that it’s commented out with the <!– and–> tags. Replace with;
<system.diagnostics>
<sources>
<source name="System.ServiceModel"
switchValue="Information, ActivityTracing"
propagateActivity="true">
<listeners>
<add name="traceListener"
type="System.Diagnostics.XmlWriterTraceListener"
initializeData= "c:\log\Traces.svclog" />
</listeners>
</source>
</sources>
</system.diagnostics>
And remember to uncomment by removing your comment tags. Now you should be able to try rerunning the Profile Sync jobs or simple wait for them to fire off every 5 minutes for the Quick Sync or an hour for the Full Sync. There seems to be an oddity though, if you look at your Connection to: ……….. User Profile to SharePoint Full Synchronization, it’s set to hourly with Starting every hour between 0 minutes and no later than 0 minutes! That should read 0 and 59 minutes, so if your Full Sync doesn’t run you know why.
You should be able to see all your content databases being updated in the ULS logs by the Profile Sync now, so if you do a refresh all additional profile properties will be updated.
Problem 2:
When creating a My Site on the consuming farm you get the following error;
o Could not load user profile.
Solution:
This one still baffles me as to why I received this. Even though I had a Full Import sorted and I could see the profile properties being updated on all my consuming farms Web Apps, I could still not create a My Site. I simply deleted the UPA connection on the consuming farm to the publishing farm, removed the UPA WITHOUT deleting the associated databases, so we could save some time without needing a full 5 hour import again! I created a new UPA, entered the same database names in, specified the server that will run the profile service, added my URL for the dummy mysite in the Enterprise (publishing) farm and away we went. I started the User Profile Synchronization Service on the UP server an waiting till it was started correctly, takes about 5 minutes. I republished and repermissioned the UPA with the above settings and simply connected it to the consuming farm.
To save time I fired off the Connection to: ……….. User Profile to SharePoint Full Synchronization manually and ensured that it synchronised the profile properties to the consuming farm. Remember to change the time for this timer job as it seems to set it to 0 and 0.
This leads me on to the next problem, as they all seem to be related.
Problem 3:
When creating a My Site on the consuming farm you get the following error;
o You do not have permissions to have lists and pages within My Site.
Solution:
This takes me back to my days of Microsoft when we supported MOSS 2007 in the UK Premier team. Ahh the fantastic memories and some right mares too…
What it simple means is that your AAM (alternate access mappings) are incorrect. What you need to do to is to add the publishing farm’s My Site AAM to the consuming farm’s AAM. So if your Default zone on your publishing My Site Web App has http://mysite.publishing.domain.com then you need to add this URL to say, the Intranet Zone of your consuming farm’s My Site Web app. So your consuming Web App AAMs would be Default http://mysite.consuming.domain.com and Intranet http://mysite.publishing.domain.com.
And… this takes me on to the next problem.
Problem 4:
When creating a My Site on the consuming farm you get the following error;
o There has been an error creating the personal site. Contact your site administrator for more information.
This issue was around in MOSS, by the looks of things it’s still not fixed. If you turn up the ULS and check for the correlation ID of this error you’ll come across this error;
Unknown SPRequest error occurred. More information: 0×80070005
It simply means, Access Denied. The workaround, I say workaround as it’s not an ideal solution is to add the consuming farms My Site App Pool ID into the consuming Farm Administrators group. Perform an iisreset and you’re good to go. Now I don’t exactly know why you needed to elevate the privileges for this particular action but it’s still the same problem as it was in MOSS 2007.
One last word of warning if you’re using SQL Aliasing with cliconfg. Make sure you add the publishing farm’s SQL alias to all your consuming farm’s as none of this will work and you’ll receive some most peculiar issues. You’ve been warned.
Hope this helps some of you guys and gals out there and gets that Project Manager of your back!
Kristof Kowalski // Kristof@kowalski.ms
