I have spent a fair amount of time recently working with Lync 2010 testing out new features and trying to figure out how everything works! One of the exciting developments in Lync is how well integrated it is with the rest of the Microsoft product stack. For me however this has caused some serious challenges as my knowledge of SharePoint is minimal, and certainly limited to end user knowledge.
This post outlines the process needed to get Lync showing photos uploaded to a users “My Site” in SharePoint 2010.
I am making the assumption that you already have SharePoint installed and that it has functioning “My Sites”. This was done for me by a colleague SharePoint consultant!
What follows is a discussion of the steps taken to get integration with AD to work and some of the troubleshooting tools I found along the way.
I started off by following this blog post:
Step 1 from the above is easy to follow.
Step 2, makes the assumption that the User Profile Synchronization service is already in place. For me this was the case, however there was an issue with accounts which I will come onto!
Having followed Step 2 my final configuration screen looks like the below:
The reason I show that is because it shows the Source Data Connection. Given that I didn’t set this up, I thought I would investigate further, and it’s a good job I did because it became important to know what user account was being used for synchronization.
Back on the Central Administration, Manage Profile Service page seen below, I clicked on the Configure Synchronization Connections link.
You can see the Active Directory connection shown on the Picture Export screenshot above. Drilling into the connection shows that it runs using the 123-shpt service account.
With this knowledge, let’s return to the original blog post we were following here:
We are now onto Step 3
I kicked off a full synchronization but it didn’t look like much was happening and photos certainly weren’t appearing in AD. At this point I looked at the event logs on the SharePoint server.
What I found was a bunch of errors like this: FIMSynchronizationService – EventID 6050 – Error
The following two blog posts both helped troubleshoot this.
They also led me to discover the FIM Synchronization Service Manager (SSM) which is located here:
C:\Program Files\Microsoft Office Servers\14.0\Synchronization Service\UIShell\miisclient.exe.
This application is your window on FIM and shows exactly what is happening during the synchronization.
I discovered that my problems were permission related.
What was needed was to ensure that the account mentioned above (in the SharePoint Directory Connection section (123-shpt) has the relevant rights in AD. This is confusing because a number of posts say that it the account which runs the FIM service which needs rights, but this doesn’t appear to be the case.
So I gave the 123-shpt account replicating directory changes permissions as detailed below:
Confirm that the service account used to run Forefront Identity Manager Synchronization Service (FIMSynchronizationService) has the AD Security right of “Replicating Directory Changes” at the domain level
- Open the Active Directory Users and Computers snap-in
- On the View menu, click Advanced Features.
- Right-click the domain object, such as “company.com”, and then click Properties.
- On the Security tab, if the desired user account is not listed, click Add; if the desired user account is listed, proceed to step 7.
- In the Select Users, Computers, or Groups dialog box, select the desired user account, and then click Add.
- Click OK to return to the Properties dialog box.
- Click the desired user account.
- Click to select the Replicating Directory Changes check box from the list.
- Click Apply, and then click OK.
- Close the snap-in.
Having done this the I kicked off another Full Synchronization in SharePoint and whilst viewing though the FIM SSM mentioned above, saw that connections were taking place.
However, there were still errors! Again they were permissions based, and this time it was specific to the end users who I was trying to provision a photo for.
After a fair bit of digging it turns out that the 123-shpt account also needs rights to all users in the domain to provision permissions.
I provided this by setting permissions for the 123-shpt account on the root of the domain. I used the advanced settings to ensure that the permissions only applied to Descendant User Objects. At a high level the permissions needed are Read, Write and Create all child objects however when broken out they look more complex as seen below.
Having made those changes, I kicked off a final Full Synchronization and found that photos were imported demonstrated by viewing the Attribute editor of the user object.
Signing out and back in on Lync made the photo show up.
Hope that helps people