Posts

Secure Store Master Key error

Don’t you hate mysterious scary errors?  How about this one?

A critical incident has occurred where Secure Store service application errored out because the master encryption key was not found.

Another error:
The Microsoft Secure Store Service application Secure Store Services failed to retrieve the master secret key.  The error returned was: ‘Unable to obtain master key.

While obscure, this was easily solved. It seems the Secure Store Service encrypts the database of credentials.  When a new server joins the farm, it doesn’t yet have the decryption key.  Hence the above error occurs when the Secure Store Service is started on the newly joined farm server.

To fix it, in Central Admin, go to the Manage Service Applications, select Secure Store Service and click on “Refresh Key”.  This propagates the key to all servers.  I did a Generate New Key for good measure, requiring a Passphrase (entered twice, of sufficient complexity).  I waited a minute for it to propagate, and started the service on the server, and checked ULS logs to confirm all was well in my happy farm.  With my small set of Secure Store Application IDs (ten or so) my Secure Store database size was around 11MB, comparatively tiny.  Then again, how much space could a dozen credentials take up?