Symptom:
The following error is presented when attempting to access service applications within SharePoint 2010, "The specified user or domain group was not found."
Cause:
SharePoint 2010 stores security information using the Subject Alternative Name as a literal strings as a result renaming or removing associated accounts will cause the service to fail.
Resolution:
- Validate the issue exists using the SharePoint 2010 Management Shell (PowerShell) and execute the following:
Get-SPServiceApplication
- Manually gather your service application GUID’s, they are found in IIS under the site “SharePoint Web Services”
- Identify the service account using the SharePoint 2010 Management Shell (PowerShell) and execute the following as an example:
Get-SPServiceApplicationSecurity fe11bf1464f84109bf83ce082e3097be
- Once you have identified the effected service application GUID return to IIS and select the virtual directory that matches the effected GUID and select “Basic Settings” and make note of the “Physical Path”, like the example below. In this example the effected service application is User Profile Service Application.
C:\Program Files\Microsoft Office Servers\14.0\WebServices\Profile
- Connect to the SharePoint_Config database and execute the following query:
SELECT [Name], [Version], CAST([Properties] as xml)
From [SharePoint_Config].[dbo].[Objects] with (nolock)
Where [Name] LIKE ‘%Profile%’
- This will return a set of results, locate the row with the correct service application name, and double click on the xml result. Within the xml result find the key with value within the name value “Serialized”. In the example below three accounts are identified: “FABRIKAM\SharePointFarm; FABRIKAM\SharePointServices; FABRIKAM\John Smith” if any of these accounts have been modified the changes will need to be reverted or restored. Once restored the effected service will become operational.
<sFld type="String" name="m_SerializedAcl"><acl><ace identityName="i:0#.w|fabrikam\sharepointfarm" displayName="0#.w|fabrikam\sharepointfarm" sid="" allowRights="18446744073709551615" denyRights="0" /><ace identityName="i:0#.w|fabrikam\sharepointservices" displayName="0#.w|fabrikam\sharepointservices" sid="" allowRights="18446744073709551615" denyRights="0" /><ace identityName="i:0#.w|fabrikam\John Smith" displayName="0#.w| fabrikam\John Smith" sid="" allowRights="18446744073709551615" denyRights="0" /></acl></sFld>
- Once the services are operational use the SharePoint 2010 Central Administration to manage the accounts assigned to this service under Central Administration > Application Management > Manage Service Application. Then highlight the service and select manage from the ribbon to change the security for the service application.
Instead of changing the XML (Step 6), I got the user information listed in XML who is doesn’t existi in server users and added that to server users and added server administrators group.
Hi,
Thank you for this great post…
But i am facing one problem, we are using Three-Tier farm(1 DB,1 APP.SERVER,2 WFS) for SharePoint 2010 Deployment with User Profile Service Configured and Synchronized, all are working fine (i.e. I can search and update user profiles from central admin).
When We try to access User profile properties from Custom WebPart it’s through an exception that “No User Profile Application available to service the request. Contact your farm administrator.”
Exception Log details:
Area : SharePoint Portal Server
Category : User Profiles
Level : High
EventID : cm6y
Message : User Profile Application Proxy failed to retrieve partitions from Us
er Profile Application: Microsoft.Office.Server.UserProfiles.UserPro
fileApplicationNotAvailableException: No User Profile Application av
ailable to service the request. Contact your farm administrator.
at Microsoft.Office.Server.Administration.UserProfileApplicationPro
xy.get_ApplicationProperties() at Microsoft.Office.Server.Admini
stration.UserProfileApplicationProxy.get_PartitionIDs() at Micro
soft.Office.Server.Administration.UserProfileApplicationProxy.IsAvai
lable(SPServiceContext serviceContext)
Code Base:
SPServiceContext _serviceContext = SPServiceContext.GetContext(new SPSite(SPContext.Current.Site.Url));
UserProfileManager oUserProfileManager = new UserProfileManager(_serviceContext);
oUserName = this.Context.User.Identity.Name;
if (oUserProfileManager .UserExists(oUserName))
{
UserProfile oUserProfile = oUserProfileManager .GetUserProfile(oUserName);
}
if (oUserProfile != null)
{
if (strOption == “Get”)
{
lblCustomerID.Text= oUserProfile [“CustomerID”].Value.ToString() : “”;
}
if (strOption == “Update”)
{
oUserProfile [“CustomerID “].Value = Convert.ToInt32(TxtCustomerID.Text);
oUserProfile .Commit();
}
}
This issue has been resolved when we Shutdown one Web front end (WFE) server. But still don’t know the exact solution.
This has been extremely helpful, but I am not able to restore one of the accounts in the Sharepoint_Config database, as it has been deleted (where re-creating the account would generate a new sid.) Is it possible to modify the DB and remove the entry so that the User Profile Service can be restarted?
It security relationship is not bound to the SID, infact they neglect to use the SID. In this case only the identityName needs to match, so just create an account that matches the identity name. I wouldn’t recommend manually removing the entry as it is used elseware. The best case would be to restore the account, even if you deleted the account it may still exist, check http://support.microsoft.com/kb/840001
great job!! this helps me saving a lot of time.
thanks nathan
Thank you very, very much. This has saved me a great deal of time :-).
Cheers,
Quint
I am getting the error while executing the step 1 or 2 or 3. “The specified user or domain group was not found. “.
Any help ?
Thanks
I suspect that your service catalog is corrupted. Restores from backup or rebuild.
I’ve modified the result of the sql query, but I cannot “save” it, or commit it to the database? How do I do this? INSERT? Do I have to insert the entire XML block ?
Just to update on this, I fixed it using this article, thank you so much for the information and walkthrough.
In my case I had deleted an AD account which was used as an app pool in Managed Service Accounts screen in Central Admin.
When I looked at the properties of the SQL table for that User Profile Service Application_ProfileDB_cd372c0025b44a868ae4… I highlighted each AD user under “Users or Roles”, and the only one that errored out, and wouldn’t let me see what it’s properties were, was the one that I had deleted.
Hello,
I have problem with account name. Accoount displays correct = Michal Juskowiak but when I “go inside” to see properties I see: ‘i:0#.w|mydomain\juskomichal’ . Could you tell me why this “i:0#.w” could be removed ? On other enviroment I don’t have such problem. Thank you for help
Thanks man.
It worked like a charm. I had deleted a user that I didn’t even remember that I used.
Pingback: Account deleted in AD causes Sharepoint 2010 crash – “The specified user or domain group was not found” | horsik
Pingback: SharePoint 2010 "completely The user or domain group was not to" (reproduced)
Mine is the BCD that has failed. I follow all the steps but I get this in the m_SerialisedAcl fld….
<acl><ace identityName=”c:0%.c|system|b9e5a545-0cf2-4fbe-b23d-82dcea334581″ displayName=”0%.c|system|b9e5a545-0cf2-4fbe-b23d-82dcea334581″ sid=”” allowRights=”18446744073709551615″ denyRights=”0″ /></acl>
No user names listed just that! Any thought?
I had the same issue with the BDC. I finally found the culprit in the AR_MetadataObjectSecurity Table. Cleaned it up and it worked great.
Thank you for this fix, you saved me hours of frustration.
Hi,
This was a great post really saved a lot of our time. Thanks for explaining it so cleanly and elaborately.
You are a charm
Thank you alot, we had a problem because the domain has been changed, so the old alias was not being used anymore, we were able to migrate the whole enviroment users, except this error, thanks to your post we fixed it, note that I just changed the domain users in the Properties field for that object, and it wokred
Hi Mohdbh
May i know, how you did it , as u said “I just changed the domain users in the Properties field for that object, and it wokred”..is that by running SQL query again config db?..if yes, can u pls provide that query….pls pls
my issue was resolved by going to the permissions of the User Profile App and removing a users account that wasnt in AD anymore. Also had to do this in Adminstrators on the UPA as well
Hello,
I have the same problem with my SPS 2010 farm. I don’t understand some points …
Pts 1 output :
DisplayName TypeName Id
———– ——– —
Access Service Ap… Access Services W… 0f63ec56-22cd-47d2-aaeb-a5b6d65ec6d7
Secure Store Serv… Secure Store Serv… da132fec-2c0e-42e1-8861-47294bfac2b2
State Service State Service 17b4ab2b-ffab-4681-b664-7c1bbfc5455d
PowerPoint Servic… PowerPoint Servic… 397b6135-f3de-43de-b0c9-667e8dbded0b
Word Viewing Serv… Word Viewing Serv… b22b1add-fa2e-4fed-8868-8ca246339ac2
Visio Graphics Se… Visio Graphics Se… 55228142-0365-4a7d-a0e9-17fb56ff9d65
Managed Metadata … Managed Metadata … 5e8a5a35-ee52-4b4b-bbac-8448c88ff17e
Web Analytics Ser… Web Analytics Ser… f97d5d0b-4cfc-40cf-80d0-15344e954a01
Excel Services Ap… Excel Services Ap… efe9e944-cb55-4bab-97e9-02e3b1adf335
Security Token Se… Security Token Se… b11cff74-87db-4a52-bd36-f246342cef15
Application Disco… Application Disco… 1825d075-c8c6-46df-9540-9ee2dd9d2962
WSS_UsageApplication Usage and Health … 2f2b397b-8e83-43b1-8c65-a0caaab0917e
Search Administra… Search Administra… 7fdee4ea-cd8c-4d83-855f-e6d367d3d8f7
Search Administra… Search Administra… aae6938f-f687-4c4c-8426-cccf9f580351
User Profile Service User Profile Serv… a10ddadc-8d56-4399-a7a8-9541b5d13b6b
SharePoint Server… SharePoint Server… 75014179-02b9-48ec-bd98-fd33767ea6dc
FAST Search Content Search Service Ap… 7a5504e7-8926-4a68-82ec-02a838c89ac3
FAST Search Query… Search Service Ap… fd3aa6da-2240-40b9-aaab-47f18e90bf42
Pts 2 output:
8c0e7ed76746451aa4e11e952464417b (I thing here my mistake, how can I find the right GUID ?)
Pts 3 Output
Get-SPServiceApplicationSecurity 8c0e7ed76746451aa4e11e952464417b
PS C:\Users\hefrspfarm> Get-SPServiceApplicationSecurity 8c0e7ed76746451aa4e11e952464417b
Get-SPServiceApplicationSecurity : A valid object could not be read from the provided pipebind parameter.
At line:1 char:33
+ Get-SPServiceApplicationSecurity <<<< 8c0e7ed76746451aa4e11e952464417b
+ CategoryInfo : ObjectNotFound: (Microsoft.Share…icationPipeBind:SPServiceApplicationPipeBin
d) [Get-SPServiceApplicationSecurity], PSArgumentException
+ FullyQualifiedErrorId : Microsoft.SharePoint.PowerShell.SPCmdletGetServiceApplicationSecurity
Any help is welcome
Thank you
I simply couldn’t depart your website prior to suggesting that I actually loved the standard information an individual supply to your guests? Is going to be again continuously in order to check up on new posts
Attractive section of content. I just stumbled upon your site and in accession capital to assert that
I get in fact enjoyed account your blog posts.
Anyway I will be subscribing to your feeds and even I achievement you access consistently
fast.
Hi, I think your website might be having browser compatibility issues.
When I look at your website in Opera, it looks fine but when opening in
Internet Explorer, it has some overlapping.
I just wanted to give you a quick heads up! Other then that,
very good blog!
Good info. Lucky me I ran across your website by chance (stumbleupon).
I’ve book marked it for later!
on step 6 you state ” if any of these accounts have been modified the changes will need to be reverted or restored” what do you mean by this? sorry if this sound lame but my heads been fixing sharepoint for 12 hours and i bearly know my name?
Great stuff Nathan. Figuring this out would have taken a lot of time!!
Hi,
Thankyou for great information.
i have same issue. There is one account I found is been deleted from AD. It is being referred in many objects. Please suggest if re creating the account in AD will resolve the problem.
Kunal