SharePoint 2010 : Troubleshoot Secure Store is not accessible

This morning one of our fellow team reported that some of our applications stopped working. He thought that his recent modification caused the issue. He made initial findings and troubleshooting with no success - and finally he shared some debugging messages -

System.Security.Cryptography.CryptographicException.ThrowCryptogaphicException(Int32 hr) +41    System.Security.Cryptography.Utils._GenerateKey(SafeProvHandle hProv, Int32 algid, CspProviderFlags flags, Int32 keySize, SafeKeyHandle& hKey) +0    System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle) +699    System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair() +85    System.Security.Cryptography.RSACryptoServiceProvider.ExportParameters(Boolean includePrivateParameters) +98    System.IdentityModel.Tokens.RsaKeyIdentifierClause..ctor(RSA rsa) +147    Microsoft.SharePoint.SPSecurityContext.SecurityTokenForContext(Uri context, Boolean bearerToken, SecurityToken onBehalfOf, SecurityToken actAs, SecurityToken delegateTo) +400    Microsoft.SharePoint.<>c__DisplayClass4.b__0() +39    Microsoft.SharePoint.Utilities.SecurityContext.RunAsProcess(CodeToRunElevated secureCode) +26839062    Microsoft.SharePoint.SPSecurityContext.SecurityTokenForServiceContext(Uri contextUri) +306    Microsoft.SharePoint.SPChannelFactoryOperations.InternalCreateChannelActingAsLoggedOnUser(ChannelFactory`1 factory, EndpointAddress address, Uri via) +326    Microsoft.SharePoint.SPChannelFactoryOperations.CreateChannelActingAsLoggedOnUser(ChannelFactory`1 factory, EndpointAddress address) +105    Microsoft.Office.SecureStoreService.Server.SecureStoreServiceApplicationProxy.GetChannel(Uri address) +369

There are two key points from the debug message:

  1. Secure Store Service somehow failed
  2. The service can not read RSA service provider

Further finding in event logs, revealed that Secure Store thrown Access denied exception - The Secure Store Service application …. is not accessible. The full exception text is : Access is denied. Based on those information, I tracked down the permission in following areas :

  1. %ALLUSERSPROFILE%\Application Data\Microsoft\Crypto\RSA , OK
  2. Secure Store Service Application proxy access settings, OK
  3. Secure Store Service Application proxy web services, OK

I almost stop at a roadblock until finally I check the local profile of the Secure Store Service application pool service application.  I went to %root%\Users , where I see many TEMP folders. Checking into these TEMP folders, it was obvious that service application for our Secure Store Service was using temporary profile.  I believe that this temporary profile prevents proper authorization to service account to access some resources. Fixes

  1. Stop all services using the service account
  2. Clean-up temporary user profile
  3. Restart the server
Riwut Libinuko
Sr. Cloud Solution Architect

My research interests include distributed robotics, mobile computing and programmable matter.

comments powered by Disqus