SharePoint 2010: User Profile Synchronization Proxy in DMZ Zone with One Way Trust

SharePoint 2010: User Profile Synchronization Proxy in DMZ Zone with One Way Trust



My client wanted to configure the User Profile Synchronization Service Application for the Collaboration Farm in the DMZ zone. When I wanted to create the User Profile I got a well-known (on Google) error.

Microsoft.SharePoint.Administration.SPIisWebServiceApplicationPool named “User Profile Service Appl” already exists under the parent Microsoft.SharePoint.Administration. Rename your object or delete the existing object…

A way should be using another Application Pool, but at my new client they are “governance” geek and the Application Pool, Web Application, Managed Accounts and many other should be the same or at least follow the governance decided by the web architects.

So I couldn’t use the easy way and had to find another way to proceed: How to delete the older Application pools? They don’t show up in IIS Manager. There is then only 1 way to delete the application pools and that’s by using PowerShell!

  • Open PowerShell with Administrator rights and run Run ‘Get-SPServiceApplicationPool’

User Profile Synchronization Service in DMZ with One Way Trust zone

 

User Profile Synchronization Service in DMZ with One Way Trust zone

  • Create a variable and put the Get-SPServiceApplicationPool  -Identity [Name of the application pool]
  • Run Remove-SPServiceApplicationPool $var
  • Enter ‘Y’ to delete the application pool  

aaaa 

You can find more information about the remove-spserviceapplicationpool on the official TechNet KB http://technet.microsoft.com/en-us/library/ff607921.aspx

If you have the same issue with deleting a Web Application you can try this solution:

  • Navigate to Central Administration
  • Go to the Monitoring –> Check Job Status
  • Delete the Unprovisionning web application from the list
  • Go (!) and Delete the Web application.

Reference: http://wblo.gs/aeK

User Profile installation

Now I could create my User Profile Service Application. I hoped not to receive any “starting” errors on my farm. I did not got it, but you can receive it and your service can be on STOPPED.

Probably, and the most of time, your User Profile will crash. You will see, you’re service will hang on User Profile Synchronization Service
This is the most common issue, to resolve this:
Be sure that Service Pack1 and cumulative updates are installed.

Mare sure that once you’ve updated hotfix for SharePoint 2010, you must use the command “psconfig -cmd upgrade -inplace b2b -wait” and then check product and patch installation status (Central Administration >Upgrade and Migration > Check product and patch installation status)
For User Service Profile service account perspective, you must configure the following for this service account:

  • A member of Farm Administrator group
  • A member of Local Administrator group      in the server you are running SharePoint 2010 as application server (Server      Manager >Configuration > Local      Users and Groups > Groups.      R-click Administrators group and      then select Add to Group. In the Administrator      Properties windows, clickAdd and      then select your User profile service account)
  • Log on locally policy      in the server you are running SharePoint 2010 as application server (Start>      Administrative Tools >      Local Security Policy >Local Policies      > User Right Assignment. R-clickAllow      log on locally and select Properties.      You will then do a few easily steps to complete configuration). Using the      command gpupdate /force to confirm the changes.

You will then need to use the following command to stop User Profile Service Application due to “Starting” forever.

  • Get-SPServiceInstance
  • Stop-SPServiceInstance -Identity “service application GUID”

Delete the existing User Profile service application and then re-provision one.
After completely configuring properly permission for User Service Profile service account as well as re-provisioning a new User Profile service application, you start new User Profile service application and need to check FIM service. Make sure that two FIM services are started automatically. Don’t force it to start because let User profile service automatically does.

So I wanted to start the User Profile Synchronization Service from Spence Harbar’s blog where we can read that this is: A “SharePoint Service” in Services on Server. This is a wrapper responsible for the provisioning of the Forefront Identity Manager (FIM) bits. You select a UPS SA to associate with, and need to specify the credentials under which the FIM Services will run. This should run on the machine in the farm you wish to use to host the User Profiles “Role”. When it’s running that machine is known as the Service Machine Instance.

You can also read the TechNet Article about configuring the User Profile Synchronization on SharePoint 2010: http://technet.microsoft.com/en-us/library/ee721049(v=office.14).aspx

Following his steps my User Profile Service Application was set up perfectly but I couldn’t import data from Corporate Local into Corporate Extranet (DMZ). The User Profile Synchronization Service Proxy wasn’t operational.

User Profile Synchronization Service in DMZ with One Way Trust zone 3

 

 

User Profile Synchronization Service in DMZ with One Way Trust zone 3

What is an Arrow in One way Trust

In describing trust relationships, arrows illustrate the direction of trust between domains as follows:

  • If B is the trusting domain and A is the trusted domain, B–>A indicates that domain B trusts domain A. (The same trust relationship can be illustrated as A<–B, that is, A is trusted by B.)
  • When domain B trusts domain A (B–>A), users with accounts in domain A can be authenticated for access to resources in domain B. However, users with accounts in domain B are not trusted to be authenticated for access to resources in domain A. http://technet.microsoft.com/en-us/library/cc977993.aspx

Why couldn’t I getting any data? I surfed on TechNet and here the answer:

User Profile Synchronization Service in DMZ with One Way Trust zone 4

  

In Microsoft SharePoint Server 2010, some service applications can be shared across server farms.

By publishing a service application, you can optimize resources, avoid redundancy, and provide enterprise-wide services without installing a dedicated enterprise services farm. You can publish the following service applications in a SharePoint Server 2010 farm:

  • Business Data Connectivity
  • Managed Metadata
  • User Profile
  • Search
  • Secure Store
  • Web Analytics

Clearly I have 2 domains (DMZ and LOCAL) with only “one way trust” and not a Full Trust, Multi Trust, Bidirectional Trust or whatever.

You can read the article on TechNet: http://technet.microsoft.com/en-us/library/ff621100(v=office.14).aspx

On SharePoint 2013 it’s the same and without A Multi Trust we can’t have working USPA Proxy: http://technet.microsoft.com/en-us/library/ff621100(v=office.15).aspx

If my company decides to implement a multi –or Full trust on the infrastructure then we could be able to get data from our publishing farm.

The farm that contains the service application and publishes the service application so that other farms can consume the service application is known as the publishing farm. The farm that connects to a remote location to use a service application that the remote location is hosting is known as the consuming farm.

You can check Proxy Configuration issues with User Profile Syncronization in SharePoint 2010/2013: http://blogs.msdn.com/b/spses/archive/2012/12/17/proxy-configuration-issues-with-upa-in-sharepoint-2010-2013.aspx

So how did we resolve this issue?

There isn’t a proper solution yet but a backup restore of the User profile Databases are more than enough to get data in the User Profile. We are doing this one time a week but for the second line, it’s a bit enoying and I can understand. I will post the solution when I will find it!

The temporary solution:

  1. Unmount the MySites Content Database
    • Unmount the MySites content database by going to Central Administration -> Application Management -> Manage Content Databases.
    • Restore the Database in SQL Server Management Studio from backup
    • Add back the content database in Central Administration
    • Stop the User Profile Service and User Profile Synchronization Service in Central Administration -> Manage Services on Server

     

User Profile Synchronization Service in DMZ with One Way Trust zone 5

 

 

User Profile Synchronization Service in DMZ with One Way Trust zone 

2. Restore the Profile DB and Social DB from backup on the SQL Server

3. Start the User Profile Service and User Profile Synchronization Service in Central Admin.

Happy SharePointing!

Gokan

Leave a Comment
  • Please add 3 and 7 and type the answer here:
  • Post
Wiki - Revision Comment List(Revision Comment)
Sort by: Published Date | Most Recent | Most Useful
Comments
  • Ed Price - MSFT edited Revision 6. Comment: Title casing

  • Ed Price - MSFT edited Revision 5. Comment: TOC, tags

  • Gokan Ozcifci edited Revision 1. Comment: style

  • Gokan Ozcifci edited Original. Comment: style

Page 1 of 1 (4 items)
Wikis - Comment List
Sort by: Published Date | Most Recent | Most Useful
Posting comments is temporarily disabled until 10:00am PST on Saturday, December 14th. Thank you for your patience.
Comments
  • Gokan Ozcifci edited Original. Comment: style

  • Gokan Ozcifci edited Revision 1. Comment: style

  • Ed Price - MSFT edited Revision 5. Comment: TOC, tags

  • Ed Price - MSFT edited Revision 6. Comment: Title casing

Page 1 of 1 (4 items)