User Profile Synchronization Service stuck on “Starting” and “Security Token Service is unavailable”

The User Profile Synchronization Service gets stuck on “Starting”, and I browse the event log and notice the event 8306 “An exception occurred when trying to issue security token…”. I checked the Security Token Service status and realized it was “Security Token Service is unavailable” in Health Analyzer.

When trying to browse the SecurityTokenService application in IIS manager, I got 500.19 Internal Server Error “The requested page cannot be accessed because the related configuration data for the page is invalid” as the following screenshot depicts. Fixed the error which was a redundant module registration (till now I can’t figure out how this happened). Just comment out the add tag in the SecurityTokenService’s web.config located at “C:Program FilesCommon FilesMicrosoft SharedWeb Server Extensions14WebServicesSecurityToken”.

<!–  <add name=”WindowsAuthenticationModule” /> –>

Again, tried to kick the User Profile Synchronization Service starting just to notice that it stopped after a couple of minutes. When browsing the event log I noticed event 234 “ILM Certificate could not be created…”. Searched for a solution and the best bet was Paul Culmsee’s blog post titled “More User Profile Sync Issues in SP2010: Certificate Provisioning Fun”. Error 234 will appear if you have already tried to provision the User Profile Synchronization Service before. A self-signed certificate was created as part of FIM provisioning (UPSS) and now you are trying to provision it again (and this entails recreating the certificate). A certificate is already there for FIM and the provisioning code doesn’t check if a certificate is already there, and hence the error.

Run MMC, add the Certificates snap-in, and examine The Trusted Root Certification Authorities store and you will notice that there is already many entries for ForefrontIdentityManager. Delete all ForefrontIdentityManager Certificates.

Now, re-provision the User Profile Synchronization Service Instance on Application Server by running the following PowerShell script. (Copied the script from Spence’s fantastic post on UPA)

##uncomment the following Add-PSSnapin line if the snapin is not already loaded

##Add-PSSnapin Microsoft.SharePoint.Powershell

Write-Host “Get the user profile service application” –ForegroundColor Green

$syncDBType = “Microsoft.Office.Server.Administration.SynchronizationDatabase”

$upaSAType = “User Profile Service Application”

$syncDB = Get-SPDatabase | where-object {$_.Type -eq $syncDBType}

$upa = Get-SPServiceApplication | where-object {$_.TypeName -eq $upaSAType}

Write-Host “Unprovision” –ForegroundColor Green

$syncDB.Unprovision()

$syncDB.Status = “Offline”

$upa.ResetSynchronizationMachine()

$upa.ResetSynchronizationDatabase()

Write-Host “Provision” –ForegroundColor Green

$syncDB.Provision()

Write-Host “Restart SP Timer service” –ForegroundColor Green

restart-service SPTimerV4

Write-Host “UPSS re-provisioned successfully” –ForegroundColor Green

Finally, start the User Profile Synchronization Service.