SharePoint 2016 Secure Store Master Key Bug

In SharePoint 2016, it is currently not possible to generate a Master Key with the June 2017 through August 2017 PU. Attempting to generate a Master Key will lead to the below error.

SecureStoreMasterKeyGenerationError

Secure Store Service	Secure Store	eft7	High	ChangeMasterSecretKey called.
Secure Store Service	Secure Store	azmi9	Medium	SSServiceDatabaseProvider.GetSession invoked.
SharePoint Foundation	General	7fd9	Unexpected	ERROR: Failed to OpenThreadToken, LastError=1008
SharePoint Foundation	General	7fd9	Unexpected	ERROR: Failed to OpenThreadToken, LastError=1008
SharePoint Foundation	General	8kh7	High	Cannot complete this action.  Please try again.
SharePoint Foundation	General	ai1wu	Medium	System.Runtime.InteropServices.COMException: Cannot complete this action.  Please try again., StackTrace:    at Microsoft.SharePoint.Administration.SPAcl`1.CalculatePermissions()     at Microsoft.SharePoint.Administration.SPAcl`1.DoesUserHavePermissions(T permissions)     at Microsoft.SharePoint.Administration.SPServiceApplication.DemandAdministrationAccess(SPCentralAdministrationRights accessRights)     at Microsoft.Office.SecureStoreService.Server.SecureStoreServiceApplication.DemandAdminAccess()     at Microsoft.Office.SecureStoreService.Server.KeyManagement.KeyManager.DemandUserIsAdmin(KeyManagementOperation operation)     at Microsoft.Office.SecureStoreService.Server.KeyManagement.KeyManager.ChangeMasterSecretKey(String token, Byte[] passPhraseHash)     at Microsoft.Office.SecureStoreService.Server.SecureStoreServiceApplication.ChangeMasterSecretKey(String token, Byte[] passPhraseHash)     at SyncInvokeChangeMasterSecretKey(Object , Object[] , Object[] )     at System.ServiceModel.Dispatcher.SyncMethodInvoker.Invoke(Object instance, Object[] inputs, Object[]& outputs)     at System.ServiceModel.Dispatcher.DispatchOperationRuntime.InvokeBegin(MessageRpc& rpc)     at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage5(MessageRpc& rpc)     at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage11(MessageRpc& rpc)     at System.ServiceModel.Dispatcher.MessageRpc.Process(Boolean isOperationContextSet)     at System.ServiceModel.Dispatcher.ChannelHandler.DispatchAndReleasePump(RequestContext request, Boolean cleanThread, OperationContext currentOperationContext)     at System.ServiceModel.Dispatcher.ChannelHandler.HandleRequest(RequestContext request, OperationContext currentOperationContext)     at System.ServiceModel.Dispatcher.ChannelHandler.AsyncMessagePump(IAsyncResult result)     at System.ServiceModel.Dispatcher.ChannelHandler.OnAsyncReceiveComplete(IAsyncResult result)     at System.Runtime.Fx.AsyncThunk.UnhandledExceptionFrame(IAsyncResult result)     at System.Runtime.AsyncResult.Complete(Boolean completedSynchronously)     at System.ServiceModel.Dispatcher.MultipleReceiveBinder.HandleReceiveRequestComplete(IAsyncResult innerResult, Boolean completedSynchronously)     at System.ServiceModel.Dispatcher.MultipleReceiveBinder.OnInnerReceiveCompleted(IAsyncResult nestedResult)     at System.Runtime.Fx.AsyncThunk.UnhandledExceptionFrame(IAsyncResult result)     at System.Runtime.AsyncResult.Complete(Boolean completedSynchronously)     at System.ServiceModel.Channels.SecurityChannelListener`1.ReceiveItemAndVerifySecurityAsyncResult`2.InnerTryReceiveCompletedCallback(IAsyncResult result)     at System.Runtime.Fx.AsyncThunk.UnhandledExceptionFrame(IAsyncResult result)     at System.Runtime.AsyncResult.Complete(Boolean completedSynchronously)     at System.Runtime.InputQueue`1.AsyncQueueReader.Set(Item item)     at System.Runtime.InputQueue`1.EnqueueAndDispatch(Item item, Boolean canDispatchOnThisThread)     at System.Runtime.InputQueue`1.EnqueueAndDispatch(T item, Action dequeuedCallback, Boolean canDispatchOnThisThread)     at System.ServiceModel.Channels.SingletonChannelAcceptor`3.Enqueue(QueueItemType item, Action dequeuedCallback, Boolean canDispatchOnThisThread)     at System.ServiceModel.Channels.HttpPipeline.EnqueueMessageAsyncResult.CompleteParseAndEnqueue(IAsyncResult result)     at System.ServiceModel.Channels.HttpPipeline.EnqueueMessageAsyncResult.HandleParseIncomingMessage(IAsyncResult result)     at System.Runtime.AsyncResult.SyncContinue(IAsyncResult result)     at System.ServiceModel.Channels.HttpPipeline.EmptyHttpPipeline.BeginProcessInboundRequest(ReplyChannelAcceptor replyChannelAcceptor, Action dequeuedCallback, AsyncCallback callback, Object state)     at System.ServiceModel.Channels.HttpChannelListener`1.HttpContextReceivedAsyncResult`1.ProcessHttpContextAsync()     at System.ServiceModel.Channels.HttpChannelListener`1.BeginHttpContextReceived(HttpRequestContext context, Action acceptorCallback, AsyncCallback callback, Object state)     at System.ServiceModel.Activation.HostedHttpTransportManager.HttpContextReceived(HostedHttpRequestAsyncResult result)     at System.ServiceModel.Activation.HostedHttpRequestAsyncResult.HandleRequest()     at System.ServiceModel.Activation.HostedHttpRequestAsyncResult.BeginRequest()     at System.ServiceModel.Activation.HostedHttpRequestAsyncResult.OnBeginRequest(Object state)     at System.Runtime.IOThreadScheduler.ScheduledOverlapped.IOCallback(UInt32 errorCode, UInt32 numBytes, NativeOverlapped* nativeOverlapped)     at System.Runtime.Fx.IOCompletionThunk.UnhandledExceptionFrame(UInt32 error, UInt32 bytesRead, NativeOverlapped* nativeOverlapped)     at System.Threading._IOCompletionCallback.PerformIOCompletionCallback(UInt32 errorCode, UInt32 numBytes, NativeOverlapped* pOVERLAP)
Secure Store Service	Secure Store	eft9	Unexpected	ChangeMasterSecretKey failed with exception : Microsoft.SharePoint.SPException: Cannot complete this action.  Please try again. ---> System.Runtime.InteropServices.COMException: Cannot complete this action.  Please try again.     at Microsoft.SharePoint.Library.SPRequestInternalClass.CalculatePermissionsForCurrentThread(Object& pvarAcl, Boolean bOnlyAces, UInt64& pPermGrant, UInt64& pPermDeny, Boolean& pbIsSiteAdmin, Boolean& pbIsSiteAuditor)     at Microsoft.SharePoint.Library.SPRequest.CalculatePermissionsForCurrentThread(Object& pvarAcl, Boolean bOnlyAces, UInt64& pPermGrant, UInt64& pPermDeny, Boolean& pbIsSiteAdmin, Boolean& pbIsSiteAuditor)     --- End of inner exception stack trace ---     at Microsoft.SharePoint.SPGlobal.HandleComException(COMException comEx)     at Microsoft.SharePoint.Library.SPRequest.CalculatePermissionsForCurrentThread(Object& pvarAcl, Boolean bOnlyAces, UInt64& pPermGrant, UInt64& pPermDeny, Boolean& pbIsSiteAdmin, Boolean& pbIsSiteAuditor)     at Microsoft.SharePoint.Administration.SPAcl`1.CalculatePermissions()     at Microsoft.SharePoint.Administration.SPAcl`1.DoesUserHavePermissions(T permissions)     at Microsoft.SharePoint.Administration.SPServiceApplication.DemandAdministrationAccess(SPCentralAdministrationRights accessRights)     at Microsoft.Office.SecureStoreService.Server.SecureStoreServiceApplication.DemandAdminAccess()     at Microsoft.Office.SecureStoreService.Server.KeyManagement.KeyManager.DemandUserIsAdmin(KeyManagementOperation operation)     at Microsoft.Office.SecureStoreService.Server.KeyManagement.KeyManager.ChangeMasterSecretKey(String token, Byte[] passPhraseHash)
Secure Store Service	Secure Store	azmi9	Medium	SSServiceDatabaseProvider.GetSession invoked.
Secure Store Service	Secure Store	a491d	High	MasterSecretKeyExists threw exception: Microsoft.Office.SecureStoreService.Server.SecureStoreServiceException: Master secret key is not present in the database.     at Microsoft.Office.SecureStoreService.Server.SecureStoreServiceDatabase.GetEncryptedMasterKey(Byte[]& encryptedMasterKey, Byte[]& initializationVector, Byte[]& checksum, Int32& version)     at Microsoft.Office.SecureStoreService.Server.SecureStoreServiceDatabase.get_MasterSecretKeyExists().

PowerShell will yield a similar set of errors.

There is currently no known workaround in SharePoint 2016. However, you can create a Secure Store Service Application in SharePoint 2013, set the Master Key, then upgrade the database to SharePoint 2016. In SharePoint 2016, refreshing the Master Key will function correctly.

Trevor Seward is a Microsoft Office Apps and Services MVP who specializes in SharePoint Server administration, hybrid scenarios, and SharePoint Online. He has been working with SharePoint for 16 years from SharePoint 2003 on up, managing environments with terabytes of content for 150,000+ user organizations. Trevor is an author of Deploying SharePoint 2016 and Deploying SharePoint 2019. You can find him on Twitter and in /r/sharepoint.