Fixing the Secure Store Exception – “InvalidMasterKeyException”

Just the other day I was configuring a new SharePoint 2013 farm and while going through trivial task (that what I was I used to) of generating a new Key I was hit with an error never encountered

"Exception of type 'Microsoft.Office.SecureStoreService.Server.KeyManagement.InvalidMasterKeyException' was thrown."

InvalidMasterKeyException_SecureStore

My first reflex (with my Developer hat on) – would this be cause by the Passphrase used having special characters within, not properly treated in the code? – Nope, it was not that.

2nd was – hmm, I’m already a Farm Administrator (! it was even a Domain Administrator – I know the purists will immediately claim that I should not never use a such a highly-privileged account for configuring service applications, but that was the one I had, so get over it) so I should have all the power I need – it turns out that this assumption is not entirely true (later for the reason).

So I went on and re-created and deletion of the Secure Store service application. Re-try generating a new key – no luck.

Next attempt, obviously was to look into the Windows 2012 Dashboard to see if any event has been registered and to my surprise it was:

Checked Event Viewer – Application Log on the app server that Secure Store Service was running on and found error event 7557 for Secure Store Service. Description had this text

Error: Event ID 7557 (Secure Store Service)
"The Secure Store Service application Secure Store Service is not accessible. The full exception text is: Cannot open database "SP13_SvcApp_SecureStore" requested by the login. The login failed. Login failed for user 'domain\user'."

That is when it struck me  – let’s have a look in SQL Database and my fears confirmed instantly – I couldn’t access the actual database, despite being in the Farm Administrators group and even the Domain Admins (I know this shouldn’t be the case anyways – but hey, is worth giving it try).

Conclusion

To fix this issue you need to:

1. Either use the original account used during the configuration of the Farm, or

2. Make sure that db_Owner is set for the Secure Store Database as configured during the creation of the Secure Store service application, besides having the account already added into the Farm Administrators group via the SP Central Administration web.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s