SharePoint 2016 Secure Store Master Key Bug

In SharePoint 2016, it is currently not possible to generate a Master Key with the June 2017 through August 2017 PU. Attempting to generate a Master Key will lead to the below error.

ULS will show the following.

PowerShell will yield a similar set of errors.

There is currently no known workaround in SharePoint 2016. However, you can create a Secure Store Service Application in SharePoint 2013, set the Master Key, then upgrade the database to SharePoint 2016. In SharePoint 2016, refreshing the Master Key will function correctly.


  1. My only workaround for this was…

    – Add Farm Account to local Admin
    – logon with Farm Account
    – Open Central Administration Website
    – Create an Secure Master Key (for me this works)
    – log off and remove Farm Account from Admin Group

  2. sorry I forgot to tell you my version. My workaround worked with SharePoint 2016 and July 2017 Update

  3. Georgii Pozdniakov

    I ran into the same issue. Previously I reconfigured c2wts service to run under the managed account named sptoken. You need to grant some permissions to it:
    • Act as part of the operating system
    • Impersonate a client after authentication
    • Log on as a service

    There was an additional requirement to add this account to local administrators group but I decided not to do that. I tried different Secure Store Service modifications with no luck. Then I decided to add sptoken to Local admins, rebooted the server and after that the key creation succeeded. This way, I assume that the issue is related to security token service somehow.

  4. This error happened to me when I didn’t restore the 2013 database first. Once I restored it the error went away.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.