SP farm account password change breaking several services

Shri-6058 326 Reputation points
2020-12-31T19:04:15.11+00:00

We have a stable SP 2013 production farm but after changing farm admin service account I have been facing strange issues. I did all the guidelines mentioned here: https://social.technet.microsoft.com/wiki/contents/articles/36418.sharepoint-2013-how-to-change-all-service-account-passwords.aspx

Executed commandline setting password refresh Managed accounts etc. Overall site collection is loading just fine.

  1. External Content type lists throw error: "Message from External System : 'Cannot logon with credentials obtained from Secure Store Provider.'."
  2. User Profile Service is always in starting state. I tried refresh, Stop-SPServiceInstance -Identity GUID. I later tried with GetTimeJob GUID and Timer.Delete() Its never turns out 'started'. I rebooted several times farm but no use. We have many custom properties cant take risk recreating.
  3. Is there any other settings I have to do to ensure that existing SP services are not breaking?

Please advise.

SharePoint Server
SharePoint Server
A family of Microsoft on-premises document management and storage systems.
2,190 questions
Microsoft Office Online Server
Microsoft Office Online Server
Microsoft on-premises server product that runs Office Online. Previously known as Office Web Apps Server.
574 questions
SharePoint Server Management
SharePoint Server Management
SharePoint Server: A family of Microsoft on-premises document management and storage systems.Management: The act or process of organizing, handling, directing or controlling something.
2,783 questions
0 comments No comments
{count} votes

Accepted answer
  1. Shri-6058 326 Reputation points
    2021-01-13T01:55:55.933+00:00

    Thank you. I haven't updated manually FIM credentials.

    The issue was finally resolved by taking out database from availability group(my error description was not same but similar) since we setup always-on availability. Restart timer service and then stop all user profile services from both servers(anyway stop service was not at all problem as it was only use to stuck at starting) Enable the User Profile service one server at a time. Once confirm both user profile and synchronizations services are up and running, only then start 2nd Web server.

    https://learn.microsoft.com/en-us/sharepoint/troubleshoot/administration/cannot-start-the-user-profile-synchronization-service

    Hope this helps somebody who is looking for UPS issues in a SP farm.

    Thanks
    Shri

    0 comments No comments

5 additional answers

Sort by: Most helpful
  1. Shri-6058 326 Reputation points
    2021-01-03T02:36:18.463+00:00

    Thank you. I followed all the steps. Also, I thought the following script takes care of updating managed accounts:
    $username="DOMAIN\spFarm"
    $newpassword=ConvertTo-SecureString -String "password" -AsPlainText -Force
    Set-SPManagedAccount -Identity $username -ExistingPassword $newpassword -UseExistingPassword:$true

    To ensure that its updated, I applied another round. I still see issue with external content type list. It says credentials are not correct.

    Also, the user profile service is stuck in starting. Even if I execute Unprovision, it doesnt do anything. I tried force stopping but I get the following error

    Stopping the User Profile Instance
    Stop-SPServiceInstance : An object of the type Microsoft.SharePoint.Administration.SPServiceInstanceJobDefinition
    named "job-service-instance-xxxxx-4073-468a-a416-3d6f8c7xxxxx" already exists under the parent
    Microsoft.SharePoint.Administration.SPTimerService named "SPTimerV4". Rename your object or delete the existing
    object.
    At C:\StartSync.ps1:32 char:1

    • Stop-SPServiceInstance -Identity $service1.ID -Confirm:$false
    • ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    • CategoryInfo : InvalidData: (Microsoft.Share...ServiceInstance:SPCmdletStopServiceInstance) [Stop-SPSer
      viceInstance], SPDuplicateObjectException
    • FullyQualifiedErrorId : Microsoft.SharePoint.PowerShell.SPCmdletStopServiceInstance

    Any suggestions to scan or fix?


  2. Shri-6058 326 Reputation points
    2021-01-05T00:32:52.853+00:00

    I still think it should start the service after Unprovision as I verified both User Profile Services and User Profile Synchronization Services both shows disabled. This shows somewere the new password is not set correctly.

    C:\Users\sp_Admin> $TypeName = "User Profile Synchronization Service"
    C:\Users\sp_Admin> $ServerName = "SPPortalProd1"
    C:\Users\sp_Admin> $Serviceinstance = Get-SPServiceInstance | where-object {$.TypeName -eq $TypeName -and $.Server.Address -eq $ServerName}
    C:\Users\sp_Admin> $Serviceinstance

    TypeName Status Id


    User Profile Synchronization ... Disabled xxxxxdba-f1fc-487e-9e65-7e6fb41xxxxx
    TypeName Status Id


    User Profile Service Disabled xxxxx444-4073-468a-a416-3d6f8c7xxxxx

    I am able to stop User Profile Services and User Profile Synchronization Services using above code. However when I manually start, UserProfile Service "started" in one server and 2nd web server shows "Starting" and never turns started.
    User profile synchronization service is "stopped" in both servers. If I start, it get stuck as "Starting" and never turns "started" after adding new password.


  3. ChelseaWu-MSFT 6,311 Reputation points
    2021-01-01T06:08:49.75+00:00

    Here is a procedure to go through in case you miss anything:

    1. Go to Central Administration > Security > Configure Managed Accounts, click Edit beside the farm admin service account. Click "Change password now" and then change the password.
    2. Manually change the User Profile Service password.
      a. Make sure the farm account is a local administrator on the server hosting the user profile service.
      b. After changing the password, navigate to Central Administration > System Settings > Manage services on server and stop the User Profile Service.
      c. Start the service again. You should be prompt for the new credential this time. Make sure the User Profile Service starts again properly.
    3. Navigate to Central Administration > Application Management > Manage service applications > Secure Store service and make sure you have updated the credentials for all applications using the farm account if any.
      Make sure to use the correct password since no error or warning message will return while changing credentials in the Secure Store service application.
    4. Reboot all the servers in the SharePoint farm, except for SQL server.

    Reference: Step by Step: Changing the SharePoint 2013 Farm Account Password.

    *Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link. *


    If an Answer is helpful, please click "Accept Answer" and upvote it.
    **Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread. **

    1 person found this answer helpful.
    0 comments No comments

  4. Mohamed El-Qassas 1,381 Reputation points MVP
    2021-01-07T02:35:58.387+00:00

    I would suggest running the below command using SharePoint PowerShell on all SharePoint Servers cross the farm (Starting with the APP server that host the CA)

    stsadm -o updatefarmcredentials -userlogin domain\account -password password 
    

    Also, check SharePoint 2019: Service Accounts Recommendations

    Regarding the User Profile Stuck on starting issue, please check

    1 person found this answer helpful.
    0 comments No comments