User Profile Synchronization Service – Access is denied

Sometimes, when you first create your User Profile Service Application and you configure your first Synchronization Connection, (or any new Synchronization Connection), you might notice that the service is not synchronizing from Active Directory, and you wil receive Access is Denied error in the event log.

Reviewing the ULS logs shows the following errors:

UserProfileApplication.SynchronizeMIIS: Error updating users with FIM permissions: Microsoft.ResourceManagement.WebServices.Faults.ServiceFaultException: Unable to process Create message   

 at Microsoft.ResourceManagement.WebServices.Client.ResourceTemplate.CreateResource()   

 at Microsoft.Office.Server.Administration.UserProfileApplication.UpdateFIMUser(SchemaManager schemaManager, String userName, String accountName, String domain, Byte[] userSid)   

 at Microsoft.Office.Server.Administration.UserProfileApplication.SynchronizeMIISAdminsList(Hashtable htPermittedUsers)   

 at Microsoft.Office.Server.Administration.UserProfileApplication.SetupProfileSynchronizationEnginePermissions().

UserProfileApplication.SynchronizeMIIS: Failed to configure ILM, will attempt during next rerun. Exception: Microsoft.ResourceManagement.WebServices.Faults.ServiceFaultException: Unable to process Create message   

 at Microsoft.ResourceManagement.WebServices.Client.ResourceTemplate.CreateResource()   

 at Microsoft.Office.Server.Administration.UserProfileApplication.UpdateFIMUser(SchemaManager schemaManager, String userName, String accountName, String domain, Byte[] userSid)   

 at Microsoft.Office.Server.Administration.UserProfileApplication.SynchronizeMIISAdminsList(Hashtable htPermittedUsers)   

 at Microsoft.Office.Server.Administration.UserProfileApplication.SetupProfileSynchronizationEnginePermissions()   

 at Microsoft.Office.Server.Administration.UserProfileApplication.SetupSynchronizationService(ProfileSynchronizationServiceInstance profileSyncInstance).

The best way to troubleshoot this issue is to look at why the FIM Synchronization service is failing to sync. To do so, you will need to launch the FIM client miisclient.exe that is located under <%Install Dir%>\Program Files\Microsoft Office Servers\14.0\Synchronization Service\UIShell.

When you launch the client, as per picture 1:

1. Click on the Management Agents
2. Click on the Synchronization Connection you created in the UPSA
3. Under Actions, Click on Configure Run Profiles

Picture 1

In the Run Profiles, you should see all the synchronization profiles, and you might notice 2 steps per profile as per picture 2.

Picture 2

For example, in the DS_EXPORT profile, you might find Step 0 with a GUID as a Partition value, then a Step 1 with the correct forest info as the Partition value.

If this is the case, then you need to delete the Step that has the GUID as a Partition value and keep the step with the correct forest info.

In some cases, if you run the synchronization job, and you monitor the status under the FIM Client Operations tab, you will find at what specific run profile the job is failing, with an access is denied error, With that, you can directly go to the specific run profile instead of going through all of them. However, it is a good idea to go through all the profiles to make sure you don't have extra steps that is messing up your synchronization job.

Also, in some scenarios, you might find only one step with a GUID as a Partition value. In this case, you will need to delete the step and create a new one, by clicking on New Step. With this in mind, make sure you select the right value for the run profile. Follow the wizard and select the right forest from the dropdown menu.

After completing your manual clean-up, try running the Synchronization job from Central Admin. No IISRESET is needed. this should fix the access is denied issue and the job will complete successfully.