SharePoint 2010: Unable to start the User profile synchronization service

Its been commonly observed that working with User profile service application is one of the pain areas of SharePoint 2010. Most of the time, it fails with starting the User profile synchronization service from Central administration site. I was recently working with an issue where the user profile synch service fails to start and it gives the very common error message in the SharePoint ULS logs (as below)

User Profile Application Proxy failed to retrieve partitions from User Profile Application: Microsoft.Office.Server.UserProfiles.UserProfileApplicationNotAvailableException: No User Profile Application available to service the request. Contact your farm administrator.
at Microsoft.Office.Server.Administration.UserProfileApplicationProxy.get_ApplicationProperties()
at Microsoft.Office.Server.Administration.UserProfileApplicationProxy.get_PartitionIDs()
at Microsoft.Office.Server.Administration.UserProfileApplicationProxy.IsAvailable(SPServiceContext serviceContext

By raising the logging level to verbose, we could observe the following error as well.

Exception occured while connecting to WCF endpoint: System.ServiceModel.CommunicationException: The server did not provide a meaningful reply; this might be caused by a contract mismatch, a premature session shutdown or an internal server error. Server stack trace:
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message) Exception rethrown
at [0]:
at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
at Microsoft.IdentityModel.Protocols.WSTrust.IWSTrustContract.Issue(Message message)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst, RequestSecurityTokenResponse& rstr)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst)
at Microsoft.SharePoint.SPSecurityContext.SecurityTokenForContext(Uri context, Boolean bearerToken, SecurityToken onBehalfOf, SecurityToken actAs, SecurityToken delegateTo)
at Microsoft.SharePoint.SPSecurityContext.<>c__DisplayClass7.<GetProcessSecurityTokenForServiceContext>b__6()
at Microsoft.SharePoint.Utilities.SecurityContext.RunAsProcess(CodeToRunElevated secureCode)
at Microsoft.SharePoint.SPSecurityContext.GetProcessSecurityTokenForServiceContext()
at Microsoft.SharePoint.SPChannelFactoryOperations.CreateChannelAsProcess[TChannel](ChannelFactory`1 factory, EndpointAddress address, Uri via)
at Microsoft.SharePoint.SPChannelFactoryOperations.CreateChannelAsProcess[TChannel](ChannelFactory`1 factory, EndpointAddress address)
at Microsoft.Office.Server.UserProfiles.MossClie

Cause

The authentication for security token service in IIS had "Forms" and "ASP.NET impersonation" enabled. This was preventing the user’s identity to be passed to the security token service and the token service was unable to generate tokens properly.

Resolution

Open up the IIS Manager on the SharePoint server

  • Expand “Sites”
  • Expand “SharePoint Web Services” and select “SecurityTokenServiceApplication”
  • Double click on “Authentication”(under IIS)
  • Disable “Forms Authentication” and ASP.NET impersonation 
  • Confirm that only Windows and Anonymous Authentication are enabled
  • IISRESET 

1

During the course of troubleshooting we initially suspected the database corruption may be an issue . Verified the DB permissions and created anew configuration DB . That did not resolve the issue . Later we found that even though we can create other service application s(like mms and search service application) , we are unable to access them . Most of them were related to security and that made us suspect "security token service application"

To clarify the above , we tested the security token service application by running the rule

Central administration site -> Monitoring ->review rule definitions ->"The security token service is not available" (under availability)

rule

This shows the below errors in in the system event viewer :

Log Name: Application
Source: Microsoft-SharePoint Products-SharePoint Foundation
Event ID: 8306
Task Category: Claims Authentication
Level: Error
Description:
An exception occurred when trying to issue security token: The server did not provide a meaningful reply; this might be caused by a contract mismatch, a premature session shutdown or an internal server error..
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-SharePoint Products-SharePoint Foundation" Guid="{6FB7E0CD-52E7-47DD-997A-241563931FC2}" />
<EventID>8306</EventID>
<Version>14</Version>
<Level>2</Level>
<Task>47</Task>
<Opcode>0</Opcode>
<Keywords>0x4000000000000000</Keywords>
<TimeCreated SystemTime="2011-02-01T20:08:31.889137200Z" />
<EventRecordID>178223</EventRecordID>
<Correlation ActivityID="{E47AD4F2-E51A-49A2-BAB2-E22243297CEC}" />
<Execution ProcessID="1072" ThreadID="5060" />
<Channel>Application</Channel>
<Computer>FQDN of computer</Computer>
<Security UserID="S-1-5-21-1037773150-1901201615-623648099-663347" />
</System>
<EventData>
<Data Name="string0">The server did not provide a meaningful reply; this might be caused by a contract mismatch, a premature session shutdown or an internal server error.</Data>
</EventData>
</Event>

Log Name: Application
Source: Microsoft-SharePoint Products-SharePoint Foundation
Event ID: 2138
Task Category: Health
Level: Warning
Description:
The SharePoint Health Analyzer detected a condition requiring your attention. The Security Token Service is not available.
The Security Token Service is not issuing tokens. The service could be malfunctioning or in a bad state.
Administrator should try to restart the Security Token Service on the boxes where it is not issuing tokens. If problem persists, further troubleshooting may be available in the KB article. For more information about this rule, see "http://go.microsoft.com/fwlink/?LinkID=160531".
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-SharePoint Products-SharePoint Foundation" Guid="{6FB7E0CD-52E7-47DD-997A-241563931FC2}" />
<EventID>2138</EventID>
<Version>14</Version>
<Level>3</Level>
<Task>8</Task>
<Opcode>0</Opcode>
<Keywords>0x4000000000000000</Keywords>
<TimeCreated SystemTime="2011-02-01T20:51:16.683910600Z" />
<EventRecordID>180549</EventRecordID>
<Correlation ActivityID="{6212567F-596F-42CD-BEDC-2F77864FA2D9}" />
<Execution ProcessID="1832" ThreadID="4180" />
<Channel>Application</Channel>
<Computer>FQDN of computer</Computer>
<Security UserID="S-1-5-21-1037773150-1901201615-623648099-663347" />
</System>
<EventData>
<Data Name="string0">The Security Token Service is not available.
The Security Token Service is not issuing tokens. The service could be malfunctioning or in a bad state.
Administrator should try to restart the Security Token Service on the boxes where it is not issuing tokens.

OR

“An error occurred while receiving the HTTP response to http://localhost:32843/SecurityTokenServiceApplication/securitytoken.svc. This could be due to the service endpoint binding not using the HTTP protocol. This could also be due to an HTTP request context being aborted by the server (possibly due to the service shutting down). See server logs for more details.”