SharePoint 2016 Secure Store Master Key Bug

In SharePoint 2016, it is currently not possible to generate a Master Key with the June 2017 through August 2017 PU. Attempting to generate a Master Key will lead to the below error.

ULS will show the following.

PowerShell will yield a similar set of errors.

There is currently no known workaround in SharePoint 2016. However, you can create a Secure Store Service Application in SharePoint 2013, set the Master Key, then upgrade the database to SharePoint 2016. In SharePoint 2016, refreshing the Master Key will function correctly.

5 Comments

  1. My only workaround for this was…

    – Add Farm Account to local Admin
    – logon with Farm Account
    – Open Central Administration Website
    – Create an Secure Master Key (for me this works)
    – log off and remove Farm Account from Admin Group

  2. sorry I forgot to tell you my version. My workaround worked with SharePoint 2016 and July 2017 Update

  3. Georgii Pozdniakov

    I ran into the same issue. Previously I reconfigured c2wts service to run under the managed account named sptoken. You need to grant some permissions to it:
    • Act as part of the operating system
    • Impersonate a client after authentication
    • Log on as a service

    There was an additional requirement to add this account to local administrators group but I decided not to do that. I tried different Secure Store Service modifications with no luck. Then I decided to add sptoken to Local admins, rebooted the server and after that the key creation succeeded. This way, I assume that the issue is related to security token service somehow.

  4. This error happened to me when I didn’t restore the 2013 database first. Once I restored it the error went away.

Leave a Reply