SharePoint 2010 : Troubleshoot Secure Store is not accessible

This morning one of our fellow team reported that some of our applications stopped working. He thought that his recent modification caused the issue. He made initial findings and troubleshooting with no success – and finally he shared some debugging messages –

System.Security.Cryptography.CryptographicException.ThrowCryptogaphicException(Int32 hr) +41
   System.Security.Cryptography.Utils._GenerateKey(SafeProvHandle hProv, Int32 algid, CspProviderFlags flags, Int32 keySize, SafeKeyHandle& hKey) +0
   System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle) +699
   System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair() +85
   System.Security.Cryptography.RSACryptoServiceProvider.ExportParameters(Boolean includePrivateParameters) +98
   System.IdentityModel.Tokens.RsaKeyIdentifierClause..ctor(RSA rsa) +147
   Microsoft.SharePoint.SPSecurityContext.SecurityTokenForContext(Uri context, Boolean bearerToken, SecurityToken onBehalfOf, SecurityToken actAs, SecurityToken delegateTo) +400
   Microsoft.SharePoint.<>c__DisplayClass4.<SecurityTokenForServiceContext>b__0() +39
   Microsoft.SharePoint.Utilities.SecurityContext.RunAsProcess(CodeToRunElevated secureCode) +26839062
   Microsoft.SharePoint.SPSecurityContext.SecurityTokenForServiceContext(Uri contextUri) +306
   Microsoft.SharePoint.SPChannelFactoryOperations.InternalCreateChannelActingAsLoggedOnUser(ChannelFactory`1 factory, EndpointAddress address, Uri via) +326
   Microsoft.SharePoint.SPChannelFactoryOperations.CreateChannelActingAsLoggedOnUser(ChannelFactory`1 factory, EndpointAddress address) +105
   Microsoft.Office.SecureStoreService.Server.SecureStoreServiceApplicationProxy.GetChannel(Uri address) +369

There are two key points from the debug message:

  1. Secure Store Service somehow failed
  2. The service can not read RSA service provider

Further finding in event logs, revealed that Secure Store thrown Access denied exception – The Secure Store Service application …. is not accessible. The full exception text is : Access is denied.

Based on those information, I tracked down the permission in following areas :

  1. %ALLUSERSPROFILE%\Application Data\Microsoft\Crypto\RSA , OK
  2. Secure Store Service Application proxy access settings, OK
  3. Secure Store Service Application proxy web services, OK

I almost stop at a roadblock until finally I check the local profile of the Secure Store Service application pool service application.  I went to %root%\Users , where I see many TEMP folders. Checking into these TEMP folders, it was obvious that service application for our Secure Store Service was using temporary profile.  I believe that this temporary profile prevents proper authorization to service account to access some resources.

Fixes

  1. Stop all services using the service account
  2. Clean-up temporary user profile
  3. Restart the server

 

One Reply to “SharePoint 2010 : Troubleshoot Secure Store is not accessible”

Leave a Reply