Secure Store could not retrieve master encryption key - Event 7535 (SharePoint Server 2010)

  • Article

 

Applies to: SharePoint Server 2010

Alert Name:   Secure Store could not retrieve the master encryption key

Event ID:   7535

Summary:   The Secure Store Service application cannot retrieve the master encryption key. The service uses the master key to encrypt user identity and password data before storing it in the secure store database, and to decrypt the data when a client application requests it.

If the master encryption key cannot be retrieved, the credentials in the secure store database cannot be decrypted and will be unusable. Any client application that relies on the secure store database will be unable to authenticate users.

Symptoms:   This event appears in the event log: Event ID: 7535 Description: The Secure Store service application %name% errored out because of a database exception.

Cause:   One or more of the following might be the cause:

  • The master encryption key was not generated after the Secure Store Service application was created.

  • The master encryption key was deleted.

  • The secure store database is corrupted.

Resolution:   Create the master encryption key

  • Create the master encryption key if it was not generated or it was deleted.

    To verify that the master encryption key was created:

    1. Verify that the user account that is performing this procedure is a member of the Farm Administrators group.

    2. On the Central Administration Home page, click Application Management.

    3. On the Application Management page, in the Service Applications section, click Manage service applications.

    4. On Service Applications page, click the Secure Store Service application.

    5. If you see an error page, no master encryption key was created. You can create the key by following the steps in "To create the master encryption key," later in this article.

      If you see another error page, try to refresh the key by following the steps in "To refresh the master encryption key," later in this article.

    To create the master encryption key:

    1. Verify that the user account that is performing this procedure is a Service Application Administrator for the instance of the Secure Store Service.

    2. Click the instance of the Secure Store Service application.

    3. On the ribbon, click Generate New Key.

    4. On the Generate New Key page, type a passphrase string in the Pass Phrase box, and type the same string in the Confirm Pass Phrase box.

      Important

      A passphrase string must consist of at least eight characters and must contain at least three of the following four elements:

      • Uppercase characters

      • Lowercase characters

      • Numerals

      • Any of the following special characters:

        “! " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~

      Tip

      The passphrase that you enter will not be stored. Make sure that you write it down and store it in a safe location. You must use this passphrase any time you refresh the key, such as when you add a new application server to the server farm.

    5. Click OK.

    To refresh the master encryption key:

    1. Verify that the user account that is performing this procedure is a Service Application Administrator for the instance of the Secure Store Service.

    2. Click the instance of the Secure Store Service application.

    3. On the ribbon, click Refresh key.

    4. On the Refresh Key page, type a passphrase string in the Pass Phrase box, and then click OK.

      Important

      A passphrase string must consist of at least eight characters and must contain at least three of the following four elements:

      • Uppercase characters

      • Lowercase characters

      • Numerals

      • Any of the following special characters:

        “! " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~

      Tip

      The passphrase that you enter will not be stored. Make sure that you write it down and store it in a safe location. You must use this passphrase any time you refresh the key, such as when you add a new application server to the server farm.

    5. Click OK.

To restore the Secure Store Service by using Central Administration

  • If the secure store database is corrupted, restore the database from a backup. After the restore operation is successfully completed, you must refresh the passphrase.

    Note

    You cannot use a configuration-only backup to restore the Secure Store Service.

    To restore the secure store database:

    1. Verify that the user account that is performing this procedure is a member of the Farm Administrators group.

    2. On the Central Administration Home page, in the Backup and Restore section, click Restore from a backup.

    3. On the Restore from Backup — Step 1 of 3: Select Backup to Restore page, select the backup job that contains the most recent farm-level backup, and then click Next. You can view more details about each backup by clicking the plus sign (+) next to the backup.

      Note

      If the backup job that you want does not appear, in the Backup Directory Location text box, type the path of the folder that contains the correct backup, and then click Refresh.

    4. On the Restore from Backup — Step 2 of 3: Select Component to Restore page, expand Shared Services Applications, select the check box that is next to the Secure Store Service application backup group, and then click Next.

    5. On the Restore from Backup — Step 3 of 3: Select Restore Options page, in the Restore Component section, make sure that Farm\Shared Services\Shared Services Applications\<Secure Store Service name> appears in the Restore the following component list.

    6. In the Restore Options section, under Type of restore, click Same configuration.

    7. In the dialog box that asks you to confirm the operation, click OK.

    8. Click Start Restore.

      You can view the general status of all recovery jobs at the top of the Backup and Restore Job Status page in the Readiness section. You can view the status for the current recovery job in the lower part of the page in the Restore section. The status page is automatically updated every 30 seconds. You can manually update the status details by clicking Refresh. Backup and recovery are timer service jobs. Therefore, it may take several seconds for the recovery to start.

      If you receive any errors, you can review them in the Failure Message column of the Backup and Restore Job Status page. You can also find more details in the Sprestore.log file at the path that you specified in step 3.

    To refresh the passphrase:

    1. On the Central Administration Home page, in the Application Management section, click Manage service applications.

    2. On the Service Applications page, click the instance of the Secure Store Service. You might receive an error that says "Unable to obtain master key."

    3. On the Secure Store Service page, on the ribbon, click Refresh Key.

    4. In the Refresh Key dialog box, type the passphrase in the Pass Phrase box, and then click OK.