Another treasure from my blog backlog: Cannot perform encryption or decryption because the secret is not available from the master secret server. When analyzing a client environment, I noticed the existence of several warnings associated with Enterprise SSO that appear every time I try to perform operations like configuring or creating a port, import a binding and so on in the BizTalk Server Administration Console. The full error message was something like this:
SSO AUDIT
Function: GetConfigInfo ({C3BE4052-A328-4B33-A543-E29BB6BE25F7})
Tracking ID: f77a7e4f-e17d-47e7-9380-88ad8aaec935
Client Computer: computer-name (BTSNTSvc64.exe:53588)
Client User: domain\username
Application Name: {C3BE4052-A328-4B33-A543-E29BB6BE25F7}Error Code: 0xC0002A1F, Cannot perform encryption or decryption because the secret is not available from the master secret server. See the event log for related errors.
Cause
Normally these types of problems happen for two reasons:
- The service account that the SSO server is running under does not have sufficient permissions to check group membership in Active Directory: https://docs.microsoft.com/en-us/biztalk/core/single-sign-on-event-11016
- Or for some reason, the master secret had somehow become corrupt and in this case, we need to restore it or reapply the master secret key.
Solution
The common way to solve this problem is:
- Open a command prompt window;
- In a command prompt, go to “C:\Program Files\Common Files\Enterprise Single Sign-On”
- Enter “ssoConfig -restoresecret SSOxxxx.bak”, where xxxx is a BizTalk generated code
- And finally, enter the password that was set on BizTalk installation
This will solve your problem. Of course, you mandatory need to have:
- the SSOxxxx.bak master secret backup file;
- and the file password;
without these, you are not able to do nothing and the only solution you will have is to configure from the scratch BizTalk Server again and lose all your existing configurations.
A second approach to solve this problem is:
- Open the SSO Administration tool;
- Select the option “System” under Enterprise Single Sign-on
- And then right-click on “System” and then select “Restore Secret…” option
- and select the master secret backup file (normally present in “C:\Program Files\Common Files\Enterprise Single Sign-On”) and type the password
Got this error today in a dev-env
Did a restart of the server and the error went away. Can be worth trying before restoring bak-files
Did you try to restart the EntSSO service first?
Each time a security update is done on the 2 BizTalk server nodes, we are facing this issue and it’s necessary to restart the SSO server or the EntSSO service. Is there a recommended order to manage Security update on High available configuration ? Thanks BR
Restarting service was enough for me.
HI Sandro,
I haven’t set the secret password. Is it necessary to setup. I am working on BizTalk application migration project from BizTalk 2013 to BizTalk 2016. While deploying the solution from VS through Microsft Deployment Framework for BizTalk I am getting this error.
” System.Runtime.InteropServices.COMException (0xC0002A1F): Cannot perform encryption or decryption because the secret is not available from the master secret server. See the event log (on computer ‘*****’) for related errors. ”
Please tell me what to do.
I have seen the same problem. But this is not permission issue on the Service Account noticed
Cause:
We have noticed that there is a difference between SSO DB, Global info table and adm_group from Management DB has the different name bother names are not in sync.
Resolution:
We used the below commands to update the global info table with a correct name.
Created xml file on \Program Files\Common Files\Enterprise Single Sign-On with blow data
NewMSSServer
and ran command
ssomanage -updatedb XMLFile
Where XMLfile is newly created .xml file
As per your confirmation we have reduce the severity of the case to B. As there were able to enable the Receive location and deploy the application