Cloud

When User Profile Services, Business Connectivity Services, and Secure Store are not working together

I decided to write this post to answer a question for both a client and a few forum users that have been looking for an answer for some time.​
To be more precise on what I want to talk about, there is a process that needs to take place when you want to supplement User Profiles in SharePoint with properties that don’t come from a Directory Service like Active Directory. When this requirment comes up you will need to rely upon Business Connectivity Services (BCS) and more than likely Secure Store also. The reason I say more than likely is because you might be one of those strange people out there that doesn’t believe is Single Sign-on (SSO), but I digress.
I’m not going to use this post to describe how to setup Secure Store then BCS and finally a Synchronization connection, but as I mentioned earlier I do want to cover what can go wrong when you are trying to merge these services together.
The problem that I have seen go unanswered the most can stem from this kind of error found when using the Synchronization Manager to see what is going on during a Sync:
BCSSyncError.tiff

You’ll notice that the third item down has PAS at the end of it. This is the name of the Synchronization Connection I setup with a name of "PAS." The way I configured it was to be based off of a BCS connection as seen below.

BCSSyncEditConnection.tiff

You can see from the screenshot above that I am connecting to an External Content Type (ETC) called "PAS User." I’m then mapping the ETC to existing profiles via a profile property called "saMAccountNameString." This is a custom profile property I created that has a type of "String" which is mapped to the saMAccountName coming from AD. Not following this approach is a key reason why some people get an error like the following:

FIMSyncError.tiff

Let me take a step back and cover what approach people who get this error are doing. Instead of creating a String based property to match off of they instead try to map to one of the existing fields like "Account Name" or "User Name." The reason neither of these would work is because they are of type "User." This actually makes sense when you look back at the error message.

Most of the time you will have a username that is being exposed through the ETC that you are mapping against, because this is typically a nvarchar or a varchar you need something equal to this on the other side.

I hope this will help you in getting UPS, BCS, and Secure Store up and running, because there is a lot of power there when correctly implemented.

Leave a Reply