Read Technet Forum HERE
Read Stackexchange post HERE
About a week ago I installed new SSL certificates. Few days after that I configured the export thumbnailPhoto attribute for the User Profile Sync. I’ve never actually been able to successfully export the photos into AD. I see the following error in both the Event Viewer and the ULS logs:
8311
An operation failed because the following certificate has validation errors:nnSubject Name: CN=[REDACTED], OU=Domain Control Validated – QuickSSL(R) Premium, OU=See http://www.geotrust.com/resources/cps (c)11, OU=2945119243, O=[REDACTED], C=US, SERIALNUMBER=[REDACTED]nIssuer Name: CN=GeoTrust DV SSL CA, OU=Domain Validated SSL, O=GeoTrust Inc., C=USnThumbprint:[REDACTED] nnErrors:nn SSL policy errors have been encountered. Error code ‘0x2’..
Not much help there. Contacted MS support and was told to install the latest CU (December 2011). Tested the CU earlier this week and decied to install during my change window yeseterday. Completed with no trouble and checkout went fine. I then try to kick off a Full Sync and now I’m seeing the 3 following Events in the logs:
6803
The management agent “MOSS-[GUID]” failed on run profile “MOSS_FULLIMPORT_[GUID]” because the server encountered errors.
6110
The management agent “MOSS-[GUID]” step execution completed on run profile “MOSS_FULLIMPORT_[GUID]” but the watermark was not saved.
Additional Information
Discovery Errors : “0”
Synchronization Errors : “0”
Metaverse Retry Errors : “0”
Export Errors : “0”
Warnings : “0”
User Action
View the management agent run history for details.
6801
The extensible extension returned an unsupported error.
The stack trace is:
“System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. —> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, Exception exception)
at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
at System.Threading.ExecutionContext.runTryCode(Object userData)
at System.Runtime.CompilerServices.RuntimeHelpers.ExecuteCodeWithGuaranteedCleanup(TryCode code, CleanupCode backoutCode, Object userData)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)
at System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size)
at System.Net.PooledStream.Write(Byte[] buffer, Int32 offset, Int32 size)
at System.Net.ConnectStream.WriteHeaders(Boolean async)
— End of inner exception stack trace —
at System.Net.WebClient.DownloadDataInternal(Uri address, WebRequest& request)
at System.Net.WebClient.DownloadData(Uri address)
at Microsoft.Office.Server.UserProfiles.ManagementAgent.ProfileImportExportExtension.DownloadPictures(ProfileChangeData[] profiles)
at Microsoft.Office.Server.UserProfiles.ManagementAgent.ProfileImportExportExtension.Microsoft.MetadirectoryServices.IMAExtensibleFileImport.GenerateImportFile(String fileName, String connectTo, String user, String password, ConfigParameterCollection configParameters, Boolean fFullImport, TypeDescriptionCollection types, String& customData)
Forefront Identity Manager 4.0.2450.34”
Any insight? I’ll still continue to work with the MS Case Engineer but wondered if anyone has seen something similar. I’ll post the outcome when/if we ever get there. 😉
Updated – Issue Solved!
So the issue was the SSL certificate after all. I have 2 web apps on 1 server. I only serve up one of those web apps though and stop the other site in IIS. Because both apps (i.e. sites) are binded to port 443 they can’t have different certs. Only 1 cert to 1 port. (Note: we’ll be adding another virtual NIC which will alleviate this issue but I’ll cover that some other day). So the My Site web app – which is stopped – has the wrong cert applied but I don’t care since it’s stopped in IIS. Looks like SharePoint does care. Each time I attempted to run a Full Sync it would choke on the cert because it didn’t match the web app’s URL. Applied a wildcard cert and magically everything worked. I’ll have to manually switch the certs over in order to complete the Full Sync until the virtual NIC is added.
Adventures in Tech 