Monday, April 16, 2018

SharePoint 2016: Exception of Type Microsoft.Office.SecureStoreService.Server.KeyManagement.InvalidMasterKeyException was thrown


Connected to a recently deployment development SharePoint 2016 farm to view health report and discovered the following rule violation:
Title The Unattended Service Account Application ID is not specified or has an invalid value.
Severity 2 - Warning
Category Security
The Unattended Service Account is a single account that all documents can use to refresh data. It is required when connecting to data sources external to SharePoint, such as SQL. Without a valid Unattended Service Account Application ID, Visio Graphics Services will not be able to refresh Web Drawings that are connected to external data sources. The rule for the Unattended Service Account Application ID failed. The ID does not exist. Visio Graphics Services Application.

To resolve this issue, the Visio Graphics Services administrator must provision the Secure Store Service, create a target application, and assign the ID of this target application to this setting. For more information about this rule, see "".
On navigating to the Manage Secure Store page, was presented with error message, Unable to obtain master key:
The lead farm administrator had already created a new master key, so this message shouldn't have been appearing.  I am a farm administrator tasked with preparing the farm in support of upgrade and migration.  Began troubleshooting.


  1. Granted farm administrators account Full Control: navigated to the Administrators page of the Secure Store Application, granting my admin account full control of the service application.  This was a test.
    1. Result: same message still displayed.
  2. Attempted to generate new master key via GUI
    1. Result: new message displayed: 
  3. Granted farm administrators account Full Control over connection: navigated to the Permissions page to grant my admin account Full Control over the connection.
    1. Results: same message displayed (as in step 2).
  4. Attempted to generate new master key via PowerShell:
    1. Result: same message displayed, now in shell:
      Update-SPSecureStoreApplicationServerKey : Exception of type 'Microsoft.Office.SecureStoreService.Server.KeyManagement.InvalidMasterKeyException' was thrown. At line:1 char:1 + Update-SPSecureStoreApplicationServerKey -ServiceApplicationProxy $secureStore - ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidData: (Microsoft.Offic...cationServerKey:SPUpdateSPSecur...cationServer Key) [Update-SPSecureStoreApplicationServerKey], SecureStoreServiceException + FullyQualifiedErrorId : Microsoft.Office.SecureStoreService.PowerShellCmdlet.SPUpdateSPSecureStoreApplicationServerKey
  5. Removed and redeployed Secure Store Service Application: removed using PowerShell, then redeployed using PowerShell.
    1. Result: on navigating to the Manage Secure Store page, now presented with the message:
      There are no Secure Store Target Applications in this Secure Store Service Application.  You can create a new Target Application from the Manage Target Applications group in the EDIT Ribbon.
      This message indicated that a new master key could now be generated, and a new Secure Store target application could also be created.


  • If all fails, rebuild the Secure Store Service Application.


No comments: