Profile Import fails when running Central Administration over ssl


I’m documenting this issue I discovered last week because I haven’t seen it mentioned elsewhere.

The issue occurs only when using the new SharePoint Active Directory Import in SharePoint 2013 when your Central Administration site is running over SSL. When you first setup your profile sync, you have three choices under “Configure Synchronization Settings”:

  1. Use SharePoint Profile Synchronization (This one leverages the built-in FIM)
  2. Use SharePoint Active Directory Import (This is the direct AD Import)
  3. Enable External Identity Provider


I haven’t tested with #1 and #3 so this issue may not apply to those. I originally configured Central Administration to run over port 443 (the default SSL port) and my IIS bindings only have the “https” type installed. By selecting my certificate in IIS, it gives me the proper host header:

I did test using alternate ports without success. When using http, any port will work, whether you use the default port 80 or some other port like 8888. I’d like to mention if everything is setup correctly and working, Spence Harbar (@harbars) has a great blog post which explains how to set this up: Refer to that post to see how good ULS logs look. What if you have a similar configuration to the one I have?

You’ll see something like this first:

CreateProfileImportExportId: Could not InitializeProfileImportExportProcess for end point 'direct://', retries left '0': Exception 0

And then:

ActiveDirectory Import failed for ConnectionForectName '', ConnectionSynchronizationOU 'DC=mynetwork,DC=com', ConnectionUserName 'mynetwork\spupssync'. Error message: System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> Microsoft.Office.Server.UserProfiles.UserProfileApplicationNotAvailableException: No User Profile Application 

The Workaround

As far as I know, there is no true fix, its a bug. I hope this will be addressed by an update. To get this working you must use a non-SSL Central Administration. However, as a workaround, you can put a load balancer in front of  Central Administration so that client to server communications are encrypted but they’re unencrypted from the load balancer to Central Administration.

0 comments… add one

Leave a Reply