SharePoint 2016: An error occurred during the Generate Key process.
Problem
Observed the following health rule violation in the Health Report for a newly deployed SharePoint Server 2016 farm:
The Unattended Service Account Application ID is not specified or has an invalid value.
Navigated to Central Administration > Application Management > Manage service applications, selecting Secure Store Service Application, and then clicked on the Manage ribbon button. Observed the following message:
Before creating a new Secure Store Target Application, you must first generate a new key for this Secure Store Service Application from the ribbon.
Clicked on the Generate New Key ribbon button, entered a passphrase, clicked OK, and then observed the following error message:
An error occurred during the "Generate Key" process. Please try again or contact your administrator.
Began troubleshooting.
Troubleshooting
01) Grant My account full control to the Secure Store service application
Navigated to Central Administration > Application Management > Manage service applications, selected the Secure Store Service Application, and then clicked on the ribbon Administrators button. Added my farm administrators account and granted it full control.
02) Generate new secure store key
Repeated attempt to generate new key: same error message as previous.
03) Grant my account full control connection permissions for Secure Store
Navigated to Central Administration > Application Management > Manage service applications, selected the Secure Store Service Application, and then clicked on the ribbon Permissions button. Added my farm administrators account and granted it full control, and clicked OK.
04) Generate new secure store key
Repeated attempt to generate new key: same error message as previous.
05) Research issue
Found this reference:
06) Check status of Claims to Windows Token Service
Navigated to: Central Administration > System Settings > Servers > Manage services on Server, and then reviewed status of Claims to Windows Token Service on each farm server:
Server Status Compliant CA Stopped {no entry} APP Stopped Yes WFE Stopped Yes
Note: The APP servers was configured in the Search role, the WFE server was configured in the Front-end with Distributed Cache role and the CA server was configured in the Custom role.
07) Start Claims to Windows Token Service
Navigated to: Central Administration > System Settings > Servers > Manage services on Server, and then clicked Start for the Claims to Windows Token Service. Service started.
08) Generate new secure store key
Repeated attempt to generate new key: same error message as previous.
09) Perform IISRESET
On the CA server, in elevated SharePoint Management Shell, executed IISRESET
10) Generate new secure store key
Repeated attempt to generate new key: Successful.
Solution
- Ensure that the Claims to Windows Token Service (C2TS) is enabled on at least one farm server. Note that it is not automatically started for the Custom, Search and Front-end with Distributed Cache roles when deploying role-based servers. After starting C2TS, follow up by performing IISRESET on the server that the services was started on.
References
- The unattended Service Account Application ID is not specified or has an invalid value (SharePoint Server)
- SharePoint 2016: Exception of Type Microsoft.Office.SecureStoreService.Server.KeyManagement.InvalidMasterKeyException was thrown
- An error occurred during the "Generate Key" process. Please try again or contact your administrator
Notes
- tbd