SharePoint: A Troubleshooting Guide for UserProfileApplicationNotAvailableException
Why a whole troubleshooter?
In SharePoint, the User Profile Service can be one of the more finicky web services.
Problems with the User Profile Service Application (UPA) may manifest themselves in several ways like:
- Trying to access the User Profile Service Application within Central Administration fails with “An unexpected error has occurred”
- Missing “Target Audiences” box on web parts and site navigation.
- Audiences not working (showing an audience-targeted web part to everyone).
- “Following” fails with error “Sorry, we couldn’t follow the site”
- Trying to edit profiles in the User Profile Service Application throws error: “An unexpected error has occurred”
- The User Profile Synchronization Service gets stuck in a “starting” state.
- SharePoint 2013-style workflows (Utilizing Workflow Manager) fail with “401 Unauthorized”.
- Users get “Sorry Something went wrong” error when accessing user profiles from “People Search” results.
- Personal Sites (mysites) are not created.
- The “Newsfeed”, OneDrive, and “Sites” links are missing from the top bar.
Sometimes logging is not as helpful as you’d like.
In the SharePoint ULS logs, you may only find an error like this:
Application Proxy failed to retrieve partitions from User Profile Application: Microsoft.Office.Server.UserProfiles.UserProfileApplicationNotAvailableException: UserProfileApplicationNotAvailableException_Logging :: UserProfileApplicationProxy.ApplicationProperties ProfilePropertyCache does not have 67a46070-e870-48f8-b904-917dca9dfd9a
Our logging is not great here. This tells us that connecting to the User Profile Service Application (UPA) failed, but gives no hints as to why it failed.
Unfortunately, sometimes the ULS logs don’t provide any more clues, even at verbose. So what can you do?
First, document the environment.
You need to know your environment so you know where to test and where to go looking for errors.
Where is the User Profile service running?
You can check Central Administration | Manage servers in Farm, or run the following PowerShell to see where the UPA web service is running:
get-spserviceinstance | ? {$_.typename -eq "User Profile Service"} | select typename, server, status
Then do some isolation testing:
Can you browse to the UPA web service endpoints?
You can try that manually, or by running the following PowerShell script on one of the servers. You need to run the script as an account that has Full Control permission to the UPA.
# This script will get each User Profile service app and their web service endpoints
# and then open Internet Explorer to test browsing to each end point
# You may see certificate errors on the HTTPS endpoints. That's usually normal.
Add-PSSnapin *sharepoint*
$UPAs = Get-SPServiceApplication | ? {$_.typename -match "User Profile"}
foreach ($UPA in $UPAs)
{$uris = $UPA.Endpoints.listenuris.absoluteuri
Write-host "`n UPA Web Service end points for: " $UPA.name
foreach($uri in $uris)
{$realURI = $uri.Replace("ProfileService.svc", "ProfilePropertyService.svc")
$realURI
$ie = New-Object -comObject InternetExplorer.Application
$ie.visible = $true
$ie.navigate($realURI)}}
The result should look something like this:
Checking that the web service endpoints are available is a good first step, but does not prove that the web service can actually be invoked.
You can use the following PowerShell to test that. It will call into the UPA and output the user profile information for the user specified.
You’d want to run this as an account that has full control permission on the UPA service app.
$url = "http://URL" # URL of a web app associated with the UPA
$user = "domain\username" # User whose profile we're looking up
Add-PSSnapin *sharepoint*
$site = Get-SPSite $url
$serviceContext = Get-SPServiceContext($site)
$profileManager = new-object Microsoft.Office.Server.UserProfiles.UserProfileManager($serviceContext)
$profileManager.GetUserProfile($user)
And use your tools to see if you can dig up more clues:
-
- Turn logging to Verbose: Set-SPLogLevel -TraceSeverity verbose
- Set it back to default level: Clear-SPLogLevel
-
Event Viewer logs
- Both the System and Application event log could hold clues.
- Don’t forget to look for “Failure Audit” events in the Security event log for potential permission issues.
-
- Mostly you’ll be looking for Access Denied events coming from w3wp.exe or owstimer.exe.
If nothing interesting turns up, we must resort to checking a list of known issues.
This is the lowest form of troubleshooting, and something I typically try to avoid, but sometimes it’s all you can do.
Checklist of known issues:
- The User Profile Service needs to be started on at least one machine in the farm.
- The above testing should have confirmed that.
- Web application associations need to be correct.
- Go to Central Administration | Manage Web Applications | <the target web app> | Service Connections. Is the expected UPA selected?
- Make sure that the default proxy group has a connection to the UPA even if your web applications are all using custom proxy groups.
- Go to Central Administration | Application Management | Configure Service Application Associations. Make sure the Default proxy group contains your UPA.
- The Anonymous account in IIS manager needs to be “IUSR”.
- Check this at the server level and at the “SharePoint Web Services” level. In the example screenshot below, my UPA web service is the GUID starting with “93b990…”
- The Farm Account needs Full control permission on the UPA
- Central Administration | Manage Service Applications | Select the line for your UPA without clicking on the link, and then choose “Permissions” in the ribbon:
- Any account that you use to run PowerShell against the UPA needs to have permission here as well.
- The Security Token Service (STS) needs to be functional on every server in the farm.
- See my other post here for information on testing it: https://joshroark.com/sharepoint-troubleshooting-the-security-token-service-sts/
- Also, if the STS is busted, you should see a lot of errors in the ULS logs announcing that.
- Make sure the UPA proxy shows as “started” in Central Administration | Manage Service Applications:
- I’d typically want to have a good reason for doing so, but some have found that deleting and re-creating the UPA proxy can help to resolve these problems. If the proxy is deleted, you can recreate it with this PowerShell:
$proxyName = "Some-Proxy-Name" # This is whatever you want to call the proxy
Add-PSSnapin *sharepoint*
$upa = Get-SPServiceApplication | ? {$_.typename -eq "User Profile Service Application"}
New-SPProfileServiceApplicationProxy -Name $proxyName -Uri $upa.uri.absoluteURI
- Check permissions on C:\ProgramData\Microsoft\Crypto\RSA\Machinekeys
- You would use Process Monitor to see if you’re getting “Access Denied” to any keys in that folder when trying to invoke the UPA web services.
- Check the Client.config for the UPA web services.
- This is used to formulate the request when a process calls the UPA web services.
- It’s located (for SharePoint 2016) at: C:\Program Files\Common Files\microsoft shared\Web Server Extensions\16\WebClients\Profile\
- Use a file comparator tool (like the “Compare” plugin for Notepad++ or “Beyond Compare”) to compare to a known-good.
- Check the Web.config for the UPA web services.
- This is used when providing the response to web service calls.
- It’s located (for SharePoint 2016) at: C:\Program Files\Microsoft Office Servers\16.0\WebServices\Profile\
- Again, the best bet is to simply compare to a known-good.
- There can also be problems with resolving the administrators of the UPA that lead to UPA web service failures. See this: https://joshroark.com/sharepoint-user-profile-web-service-failures-and-the-dreaded-8313-error/
And… to help out the search engines, here are some of the errors you may see in the ULS logs when the UPA is misbehaving:
w3wp.exe (0x0950) 0x09EC SharePoint Portal Server User Profiles cm6y High User Profile Application Proxy failed to retrieve partitions from User Profile Application: Microsoft.Office.Server.UserProfiles.UserProfileApplicationNotAvailableException: UserProfileApplicationNotAvailableException_Logging :: UserProfileApplicationProxy.ApplicationProperties ProfilePropertyCache does not have 67a46070-e870-48f8-b904-917dca9dfd9a at Microsoft.Office.Server.Administration.UserProfileApplicationProxy.get_ApplicationProperties() at Microsoft.Office.Server.Administration.UserProfileApplicationProxy.get_PartitionIDs() at Microsoft.Office.Server.Administration.UserProfileApplicationProxy.IsAvailable(SPServiceContext serviceContext)
w3wp.exe (0x0950) 0x09EC SharePoint Portal Server User Profiles d22b High Failure retrieving application ID for User Profile Application Proxy ‘UPA’: Microsoft.Office.Server.UserProfiles.UserProfileApplicationNotAvailableException: UserProfileApplicationNotAvailableException_Logging :: UserProfileApplicationProxy.ApplicationProperties ProfilePropertyCache does not have 67a46070-e870-48f8-b904-917dca9dfd9a at Microsoft.Office.Server.Administration.UserProfileApplicationProxy.get_ApplicationProperties() at Microsoft.Office.Server.Administration.UserProfileApplicationProxy.get_AppID()
w3wp.exe (0x144C) 0x2150 SharePoint Foundation CSOM ahjq1 High Exception occured in scope Microsoft.Office.Server.UserProfiles.ProfileLoader.GetProfileLoader. Exception=Microsoft.Office.Server.UserProfiles.UserProfileApplicationNotAvailableException: UserProfileApplicationNotAvailableException_Logging :: UserProfileApplicationProxy.GetRawPartitionID has null proxy at Microsoft.Office.Server.Administration.UserProfileApplicationProxy.GetRawPartitionID(SPServiceContext serviceContext) at Microsoft.Office.Server.UserProfiles.ProfileLoader..ctor(SPServiceContext serviceContext, Boolean IgnoreUserPrivacy) at Microsoft.Office.Server.UserProfiles.ProfileLoader.GetProfileLoader(SPServiceContext serviceContext, Boolean IgnoreUserPrivacy) at Microsoft.Office.Server.UserProfiles.ProfileLoaderServerStub.InvokeStaticMethod(String methodName, XmlNodeList xmlargs, ProxyContext proxyContext, Boolean& isVoid) at Microsoft.SharePoint.Client.ServerStub.InvokeStaticMethodWithMonitoredScope(String methodName, XmlNodeList args, ProxyContext proxyContext, Boolean& isVoid) 8ab6d19e-c832-0012-0b83-18effefb320d
w3wp.exe (0x2B60) 0x145C SharePoint Portal Server User Profiles czx7 High UserProfile.RetrieveUser() Exception: Microsoft.Office.Server.UserProfiles.UserProfileApplicationNotAvailableException: An error occurred when verifying security for the message. at Microsoft.Office.Server.UserProfiles.ProfileDBCacheServiceClient.GetUserData(UserSearchCriteria searchCriteria) at Microsoft.Office.Server.UserProfiles.UserProfileCache.GetUserData(UserProfileManager objManager, Nullable`1 recordId, Guid gAcct, String strAcct, Byte[] bSid, String strEmail, Boolean doNotResolveToMasterAccount) 769a43e7-a036-416e-802a-2f5bc48b5580
w3wp.exe (0x0950) 0x09EC SharePoint Foundation Runtime tkau Unexpected Microsoft.Office.Server.UserProfiles.UserProfileApplicationNotAvailableException: This User Profile Application’s connection is currently not available. The Application Pool or User Profile Service may not have been started. Please contact your administrator. at Microsoft.SharePoint.Portal.UserProfiles.AdminUI.ProfileAdminPage.get_CurrentApplicationProxy() at Microsoft.SharePoint.Portal.UserProfiles.AdminUI.ManageUserProfileServiceApplicationBase.OnPreRender(EventArgs e) at System.Web.UI.Control.PreRenderRecursiveInternal() at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)