Creating the Master key... Secure Store Service did not perform the operation.

Topics: General Questions, Support
Apr 18, 2014 at 11:19 AM
Edited Apr 18, 2014 at 1:42 PM

I've recently started using de AutoSPinstaller and let me begin by saying im absolutely amazed by the work that is done on this gem. A very complete tool for setting up a proffessional and automatically well documentated farm. Thanks for saving me from a lot of work! =D I use it in combination with the AutoSPinstallerGUI and on my first run I only run in a few mere problems which i could fix myself for the biggest part.

I've run the script on my test server a couple of times after fixing small issues. But I can't seem to get passed the following error. Which standing between me and a totally succesful finished script:
 - Provisioning Secure Store Service Application...
 - Secure Store Service Application already provisioned.
 - Creating the Master Key...
Update-SPSecureStoreMasterKey : Secure Store Service did not performed the oper
At E:\Maart2014\AutoSPInstaller\SP\AutoSPInstaller\AutoSPInstallerFunctions.ps1
:3687 char:13
+             Update-SPSecureStoreMasterKey -ServiceApplicationProxy $secureSto
re. ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidData: (Microsoft.Offic...eStoreMasterKey:
   SPUpdateSPSecureStoreMasterKey) [Update-SPSecureStoreMasterKey], FaultExce
    + FullyQualifiedErrorId : Microsoft.Office.SecureStoreService.PowerShellCm

 - Creating the Application Key...
 - Done creating/configuring Secure Store Service Application.
I'm working with two servers; 1 WFE and 1 SQL. This setup is for test purpose and fine-tuning of the script only. Afterworths i want to translate the script for a multi-tier farm of 5 servers (2 WFE, 2 APP, 1 SQL)

Is there anybody that also ran into this and any thoughts on how to fix this?

Any help is highly appreciated!

Cheers, Arnold
Apr 18, 2014 at 3:39 PM
Are you testing this with one SharePoint server or multiple? If it is multiple and you have apps on different servers, it will create the SS Service on the box with the application using it.

If that is the case, there is a bug in the commandlet, not AutoSpInstaller, that you will have to stop the other instances of SS so it can set the key on this box.
Apr 20, 2014 at 1:32 PM
No im running everything on one SharePoint server. So the SS service is running on the same machine. My first thought was that the service was not running or fully started after the first run of the script, so I gave the server a reboot after the first time the script finished. After that I started the script again and this is the only error I have when I run the script for the second time (and thirth and fourth =D )

So not sure whats happening here.
Apr 20, 2014 at 6:31 PM
Try starting the Claims to Windows token service. I believe the secure store is dependent on it.

Apr 21, 2014 at 2:33 AM
Hey Ivan, this is interesting... do you have a reference? If it's the case (and we know authoritatively) I'd like to build this dependency into AutoSPInstaller.

Apr 21, 2014 at 4:21 AM
I don't recall where I read this but it appears to work.

I just reproduced it two times on my fresh SP2013 SP1 (from MSDN ISO) install.

Claims to Windows Token Disabled
1: Fail
2: Reboot, fail.
3: Reboot, fail.

Claims to Windows Token Enabled
1: Fail
2: Reboot, works

Let me know if you need any more detail.

Apr 22, 2014 at 12:42 PM
I back Ivan's story up, I setup Claims to Windows token service and it ran completely succesfull now.. My script had it set on false.

Thanks a million for the help! Now all I need to figure out is if I want the Claims to Windows token service to run on my machines..
Apr 22, 2014 at 2:53 PM
Thanks guys, I'll verify as well and if necessary add the dependency (i.e. force C2WTS to start if Secure Store is being provisioned) similar to how I already have dependencies included for Excel Services, Visio Services, PerformancePoint - they all require C2WTS.

Apr 22, 2014 at 4:44 PM
I just successfully provisioned the Secure Store service on a brand new single-server farm without provisioning the Claims to Windows Token Service. Therefore, we can't truly say there is a direct dependency on C2WTS for Secure Store...

Back to the drawing board :)

Apr 22, 2014 at 5:06 PM
Unless this is a specific issue with a specific version, I also have the same findings as Brian. I have not seen any article that points C2WTS as a prerequisite for secure store.
Apr 22, 2014 at 7:39 PM
Brian, which version of Windows did you do your test on?
I'm running 2012 R2.
Here is my XML

Apr 22, 2014 at 8:01 PM
Yup, 2012 R2 with the Spring 2014 update, with SharePoint 2013 SP1-integrated ISO. I can't see how this would be dependent on operating system though.

Apr 22, 2014 at 8:03 PM
I noticed in your XML you already have ClaimsToWindowsTokenService Start="localhost" - you'd need to set this to "false" in order to verify that Secure Store can be provisioned without C2WTS.

Apr 23, 2014 at 4:48 AM
I'm aware of that :p
Sep 6, 2014 at 9:32 PM
In my case IIS POOL was OFF