Posted  by 

Why Would You Generate A Secure Store Master Key

Why Would You Generate A Secure Store Master Key 5,0/5 4903 reviews
  • Scenario/Problem: You need to create or change the master key for the Secure Store Service. Solution: Use the Update-SPSecureStoreMasterKey cmdlet. The Secure Store Service needs a master key before target applications can be created. To create or change the master key, use the Update-SPSecureStoreMasterKey.
  • If you are using ICSF to generate random numbers, generate a random number for each key part that you need to enter to create the master key. Note: It is recommended that you enter the same key value for the SMK and KMMK of the Cryptographic Coprocessor Feature and the ASYM-MK of the PCI Cryptographic Coprocessor Feature.
  • Sep 09, 2015 Or make sure that dbOwner is set for the Secure Store Database as configured during the creation of the Secure Store service application, besides having the account already added into the Farm Administrators group via the SP Central Administration web. Or y ou can also check ULS log to see if anything unexpected occurred.
  • Nov 24, 2011  Creating Secure Store Service Application through Powershell SSSA is a good way how to store credentials for accessing external systems. Here is a script that will help you to create such a service application through powershell.
-->

APPLIES TO: 2013 2016 2019 SharePoint Online

You can restore the Secure Store service application by using the SharePoint Central Administration website or PowerShell. The restore tool that you use depends on the kind of environment that you have deployed, your schedule requirements, and service level agreements that you have made with your organization.

Before you begin

The Secure Store Service provides the capability of securely storing credential sets and associating credentials to specific identities or a group of identities.

You will get a message “Before creating a new Secure Store Target Application, you must first generate a new key for this Secure Store Service Application from the ribbon.” The very first time you will have to essentially Generate an encryption key. After generating a key, the rest of the Secure Store functionality becomes available.

Before you begin this operation, review the following information about the Secure Store service application:

  • Every time that you enter a new passphrase, SharePoint Server creates a new Master Key and re-encrypts the credentials sets with that key. The passphrase gives you access to the Master Key created by SharePoint Server that is used to encrypt the credential sets.

  • You will need the passphrase that was recorded when the Secure Store Service was backed up to restore the Secure Store Service. Windows xp home sp3 product key generator.

Using Central Administration to restore the Secure Store Service in SharePoint Server

Use the following procedure to restore the Secure Store Service by using Central Administration.

To restore the Secure Store Service by using Central Administration

  1. Verify that the user account performing this procedure is a member of the Farm Administrators group.

  2. Start Central Administration.

  3. In Central Administration, on the home page, in the Backup and Restore section, click Restore from a backup.

  4. On the Restore from Backup — Step 1 of 3: Select Backup to Restore page, select the backup job that contains the backup that you want, or a farm-level backup, from the list of backups, and then click Next. You can view more details about each backup by clicking the (+) next to the backup.

    Note

    If the correct backup job does not appear, in the Backup Directory Location text box, type the path of the correct backup folder, and then click Refresh. You cannot use a configuration-only backup to restore the Secure Store Service.

  5. On the Restore from Backup — Step 2 of 3: Select Component to Restore page, expand Shared Services Applications and select the check box that is next to the Secure Store Service application backup group, and then click Next.

  6. On the Restore from Backup — Step 3 of 3: Select Restore Options page, in the Restore Component section, make sure that FarmShared ServicesShared Services Applications<Secure Store Service name> appears in the Restore the following component list.

    In the Restore Options section, under Type of restore, select the Same configuration option. A dialog box will appear that asks you to confirm the operation. Click OK.

    Click Start Restore.

  7. You can view the general status of all recovery jobs at the top of the Backup and Restore Job Status page in the Readiness section. You can view the status for the current recovery job in the lower part of the page in the Restore section. The status page updates every 30 seconds automatically. You can manually update the status details by clicking Refresh. Backup and recovery are Timer service jobs. Therefore, it may take a several seconds for the recovery to start.

    If you receive any errors, you can review them in the Failure Message column of the Backup and Restore Job Status page. You can also find more details in the Sprestore.log file at the path that you specified in step 3.

  8. After the restore operation has successfully completed, you must refresh the passphrase.

  9. In Central Administration, on the home page, in the Application Management section, click Manage service applications.

  10. On the Service Applications page, click the Secure Store Service name. You might receive an error that says 'Unable to obtain master key.'

  11. On the Secure Store Service page, on the ribbon, click Refresh Key.

  12. In the Refresh Key dialog box, type the passphrase in the Pass Phrase box, and then click OK.

Using PowerShell to restore the Secure Store Service in SharePoint Server

You can use PowerShell to restore the Secure Store Service.

To restore the Secure Store Service by using PowerShell

  1. Verify that you have the following memberships:

    • securityadmin fixed server role on the SQL Server instance.

    • db_owner fixed database role on all databases that are to be updated.

    • Administrators group on the server on which you are running the PowerShell cmdlets.

    An administrator can use the Add-SPShellAdmin cmdlet to grant permissions to use SharePoint Server cmdlets.

    Note

    If you do not have permissions, contact your Setup administrator or SQL Server administrator to request permissions. For additional information about PowerShell permissions, see Add-SPShellAdmin.

  2. Start the SharePoint Management Shell.

  3. At the PowerShell command prompt, type the following command:

    Where:

    • <BackupFolder> is the path for the backup folder where the service application was backed up.

    • <SecureStoreServicename> is the name of the Secure Store Service application.

    If you have multiple backups use the BackupId parameter to specify which backup to use. To view all of the backups for the farm, type the following command at the PowerShell command prompt:

    Note

    If you do not specify a value for the BackupId parameter, the most recent backup will be used. You cannot restore the Secure Store Service from a configuration-only backup.

  4. After the restore operation has successfully completed, you must refresh the passphrase. At the PowerShell command prompt, type the following command:

    Where <Passphrase>, is the one that you currently use.

Should errors occur while updating the Secure Store passphrase, see Refresh the Secure Store encryption key.

For more information, see Restore-SPFarm and Update-SPSecureStoreApplicationServerKey.

Note

We recommend that you use Microsoft PowerShell when performing command-line administrative tasks. The Stsadm command-line tool has been deprecated, but is included to support compatibility with previous product versions.

See also

Concepts

-->

The PowerPivot Configuration Tool included in SQL Server Code Name “Denali” CTP3 is undoubtedly a great new utility for SharePoint administrators. This tool doesn’t just enable you to configure or upgrade PowerPivot in a SharePoint farm. It takes PowerPivot configuration to a whole new level. Here are some key improvements in comparison to what’s available with SQL Server 2008 R2:

  • No special SharePoint or PowerPivot knowledge required to create a PowerPivot-enabled SharePoint farm.
  • Configuration tasks are separated from installation tasks—SharePoint configuration issues no longer interfere with the SQL Server Setup process.
  • All configuration settings are validated prior to applying changes.
  • The configuration process can be interrupted and resumed at any time.
  • Settings and results are automatically documented (except passwords and passphrases).

Why Would You Generate A Secure Store Master Key Free

Let’s have some fun exploring this tool. First, you need an installation of Denali CTP3 PowerPivot for SharePoint. Thanks to the separation of installation and configuration tasks, this is relatively quickly accomplished, especially if you are deploying a single-server test environment. Log on using a domain account with administrative permissions on the local computer, install SharePoint 2010 (choose the options Server Farm and Complete – Install All Components) without running the SharePoint 2010 Products Configuration Wizard afterwards, and then update this installation with Service Pack 1 for SharePoint 2010, again without running the SharePoint 2010 Products Configuration Wizard. Next, launch Denali CTP3 Setup. On the Setup Role screen, select the options SQL Server PowerPivot for SharePoint and Add SQL Server Database Relational Engine Servicesto this Installation, and then click Next in all remaining wizard screens to accept the default settings as suggested. You only need to provide a domain account and a password for the Analysis Services service. Note that you must use a domain account to support PowerPivot for SharePoint, but this domain account does not require administrative permissions on the local computer.

Why would you generate a secure store master keys

Moving on to the PowerPivot Configuration Tool, the first thing to note is that Denali CTP3 Setup only installs and configures the SQL Server program files and services on the local computer, but it doesn’t configure the SharePoint farm. This is where the new PowerPivot Configuration Tool comes into play. Start it by clicking on the PowerPivot Configuration Tool link, which you can find on the Start menu under All Programs, Microsoft SQL Server Denali CTP3, and Configuration Tools. You can also start it from within SQL Server Installation Center, if you look under Tools. On the PowerPivot Configuration Tool’s first screen, click Configure or Repair PowerPivot for SharePoint, as depicted in the following screenshot.

At a first glance, the PowerPivot Configuration Tool might be overwhelming. It just covers a lot of ground. Take a moment to get familiar with the user interface. The left pane shows you a long list of actions that the tool is designed to carry out, neatly organized in a tree view for informational purposes. The right pane has three tabs: Parameters, Script, and Output. Their purpose is self-explanatory. As you can see in the screenshot above, you only need to specify five parameters to configure a new SharePoint farm for PowerPivot: service account, password, database server name, passphrase, and TCP port for Central Administration. The configuration tool even makes an attempt to suggest meaningful default parameters, so you only need to specify password and passphrase.

There are some subtle features in the PowerPivot Configuration Tool that only a connoisseur can truly appreciate. My absolute favorite is parameter validation carried out without performing any actual configuration tasks in SharePoint. This is one of those work items that is usually taken for granted and yet it takes so much to do it right. If you have written software, you know how tedious it is to validate user input, and here you see a tool that doesn’t just validate input, but goes through an exhaustive series of checks to ensure the PowerPivot for SharePoint configuration can succeed, as shown in the following screenshot. If you happen to change a setting after validation, the tool automatically flags the affected steps in the left pane and requires you to validate the configuration parameters again. Kudos to Software Developer Engineer Fernando Godinez Delgado, who built the PowerPivot Configuration Tool!

Perhaps you are not as excited about parameter validation as I am, but if you are an experienced SharePoint administrator or troubleshooter, you might get excited about the Script tab. This tab shows you the commands that the tool is going to execute when you click on the Run button. You can say that the PowerPivot Configuration Tool is essentially a script executor and nothing stops you from executing the commands manually. Note that the commands on the Script tab include the user input from the Parameters tab. It’s easy to copy all or individual sections of the script to the clipboard and paste them into a PowerShell window. Here’s an example demonstrating how helpful this is in a troubleshooting situation:

  1. Run the PowerPivot Configuration Tool, specify the service account password as required, and then make sure you type AYX$dcv?00 into the Passphrase and Confirm Passphrase textboxes.

Hint: The dollar sign in the passphrase is super important because it causes the Secure Store configuration to fail, as shown in the following screenshot, even though the passphrase meets the complexity requirements. I’m exploiting a known CTP3 issue, which causes the error. The issue is most likely going to be fixed in the final release.

  1. Click Validate, which correctly succeeds, and then click Run.
  2. In the dialog box informing you that all configuration settings flagged as valid will be applied to the SharePoint farm, click Yes.
  3. Note that the configuration unexpectedly fails when trying to update the Secure Store Master Key. In the Task Configuration dialog box, informing you that one or more actions failed, click OK.


Prior to Denali CTP3 and the PowerPivot Configuration Tool, such configuration issues would have caused SQL Server Setup to fail and roll back the entire deployment. Now, you can just switch to SharePoint 2010 Central Administration, click on Manage Service Applications, click on Secure Store Service, click on Generate New Key, and then under Pass Phrase and Confirm Pass Phrase, type the passphrase, and then click OK. Having generated the master key in this way, you can switch back to the PowerPivot Configuration Tool, reevaluate the configuration, and continue with the remaining steps. Yes, the PowerPivot Configuration Tool enables you to succeed even if you encounter unexpected configuration issues along the way.

But why does this update of the master key fail in the PowerPivot Configuration Tool? The error message includes an important hint: The passphrase supplied does not meet the minimum complexity requirements. This isn’t true because AYX$dcv?00 certainly meets the requirements. So, what exactly is failing? Let’s switch to the Script tab, locate the command, and investigate the root cause. The command line in question is undoubtedly:

UpdateSecureStoreMasterKey 'Secure Store Proxy' '********'

The ConfigurePowerPivot.ps1 library that ships with the PowerPivot Configuration Tool implements the UpdateSecureStoreMasterKey function. By default, this library is located in the %ProgramFiles%Microsoft SQL Server110ToolsPowerPivotToolsConfigurationToolResources folder. You can determine the exact path on the Script tab. Just check the very first line, such as
# Open PowerShell library from: C:Program FilesMicrosoft SQL Server110ToolsPowerPivotToolsConfigurationToolResourcesConfigurePowerPivot.ps1. Open this .ps1 file in Notepad, search for UpdateSecureStoreMasterKey, and you should find the corresponding function, which is implemented as follows:

Function UpdateSecureStoreMasterKey
{
param($proxyName, $farmPassPhrase)
### Retrieve secure store service application proxy
$proxy = Get-SPServiceApplicationProxy where {$_.DisplayName -eq $proxyName}

Why Would You Generate A Secure Store Master Key Login

if($proxy)
{
Update-SPSecureStoreMasterKey -ServiceApplicationProxy $proxy -Passphrase $farmPassPhrase
start-sleep -s 60
Update-SPSecureStoreApplicationServerKey -ServiceApplicationProxy $proxy -Passphrase $farmPassPhrase
start-sleep -s 60
}
else
{
throw 'Secure Store Service Application proxy doesn't exist'
}
}

Why Would You Generate A Secure Store Master Key Online

Store

As you can see, this function relies on standard SharePoint 2010 cmdlets and the parameters $proxyName and $farmPassPhrase receive the strings 'Secure Store Proxy' and “AYX$dcv?00”. Let’s run these cmdlets manually to see what happens:

  1. Start the SharePoint 2010 Management Shell by right-clicking on the corresponding link in the Microsoft SharePoint 2010 Products program group in the Start menu, and clicking Run as Administrator.
  2. In the User Account Control dialog box, asking you if you want to continue, click Yes.
  3. Type $proxyName = 'Secure Store Proxy' and press Enter to set the first parameter.
  4. Type $farmPassPhrase = 'AYX$dcv?00' and press Enter to set the second parameter.
  5. Type $proxy = Get-SPServiceApplicationProxy where {$_.DisplayName -eq $proxyName} and press Enter to retrieve the Secure Store Service Application Proxy exactly as the PowerPivot Configuration Tool would do.
  6. Type $proxy and press Enter to verify that the SharePoint cmdlet has successfully retrieved the service application proxy. The output should include DisplayName, TypeName, and ID.
  7. Type Update-SPSecureStoreMasterKey -ServiceApplicationProxy $proxy -Passphrase $farmPassPhrase and press Enter to update the Secure Store Master Key. Note that the Update-SPSecureStoreMasterKey fails with the same error message that you already encountered in the PowerPivot Configuration Tool, as in the following screenshot.


So, it is the Update-SPSecureStoreMasterKey cmdlet that is failing. Does it incorrectly reject the specified passphrase? Well, not really. The Update-SPSecureStoreMasterKey cmdlet is fine. It’s our script that forgets to escape the dollar sign in the passphrase. The passphrase is enclosed in double quotation marks, so PowerShell is interpreting the dollar sign as a special character. You can verify this by typing $farmPassPhrase in the PowerShell window and pressing Enter. The output only includes AYX. Clearly, not a valid passphrase! To fix this, type $farmPassPhrase = 'AYX$dcv?00' and press Enter. The single quotation marks turn the passphrase into a literal string and eliminate the need to escape the dollar sign. Type $farmPassPhrase again and press Enter to verify that the entire passphrase is now returned. Repeat the command Update-SPSecureStoreMasterKey -ServiceApplicationProxy $proxy -Passphrase $farmPassPhrase and it will now succeed, as the following screenshot proves. And then, finish the configuration procedure by typing Update-SPSecureStoreApplicationServerKey -ServiceApplicationProxy $proxy -Passphrase $farmPassPhrase and pressing Enter again.


At this point, the master key issue has been resolved and you can switch back to the PowerPivot Configuration Tool to continue, as mentioned earlier. If you already closed the tool, you can start it again. Choose Configure or Repair PowerPivot for SharePoint, type any required information, such as the Default Account Password, and then click Validate. Note that the PowerPivot Configuration Tool detects the SharePoint configuration and continues with the correct step after the master key update (see the following screenshot).


Additionally, you can examine the individual steps that the PowerPivot Configuration Tool performed in great detail if you switch to the Output tab. Note that the tool automatically scrolls to the output section that corresponds to the selected action in the left pane. If you select Create Unattended Account for DataRefresh in the left pane, for instance, the tool scrolls down to display the relevant sections for CreateUnattendedAccountForDataRefresh and so forth. Note also that you can analyze the output outside of the PowerPivot Configuration Tool. Every time you run the tool, it writes the output into an xml file, which stores the values you entered and the results from the run. Output files are located in the %ProgramFiles%Microsoft SQL Server110ToolsPowerPivotToolsConfigurationToolLog folder.

Why Would You Generate A Secure Store Master Key Card

This concludes this excursion into the PowerPivot Configuration Tool. I hope you find it useful in your work as a SharePoint administrator. In one of the next posts, I’m going to show you how to use this tool to configure a multi-server SharePoint farm. Stay tuned!