Share via

Resolving a Problem Creating a New Encryption Key for Secure Store Service in SharePoint 2013

  • Article

I ran across this problem today, which was caused by something that's easy to forget so I thought I would share the issue and resolution. I was in central admin and trying to create a new Encryption Key for the Secure Store Service. When I tried to generate a new key it failed, and the ULS logs contained an error message like this: User [0#.w|contoso\fred] tried [ChangeMasterSecretKey] operation, user does not have admin privileges to perform the operation. I found this puzzling, so after a few tries I tried logging into as the farm administrator and creating the key. Voila - it worked! This however was not the end of the problems. I then logged back in as myself, went to manage the Secure Store Service page and got a message that said my access was denied to the Secure Store Service. I'm a farm admin, so what's the deal?

Well...as it turns out for Secure Store Service you have to also go into Manage Service Applications, select the Secure Store Service, and then click the Administrators button in the ribbon. Even though I'm a farm admin, I still have to specifically add my account as an Administrator for the Secure Store Service. Reminded me of all the times and places we had to do this in SharePoint 2010, so this little event was a good reminder in SharePoint 2013 to check for these little gotchas again. With my account added I can now generate or refresh a key, as well as generally just use the SSS.

Comments

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    September 13, 2013
    This shouldn't be needed though. Strange. Per the instructions on that page: Specify the users who have rights to manage this service application. These users will be given access to the Central Administration site and will be able to manage settings related to this service application. "Members of the Farm Administrators group always have rights to manage all service applications."

  • Anonymous
    September 18, 2014
    The comment has been removed

  • Anonymous
    October 13, 2014
    I had a similar situation where I was listed as a 'Farm Admin', however did not have full functional access to the 'Secure Store Service'. It wasn't until I specifically gave myself rights to the service that I could then gain access to the 'generate key' functions