Cannot perform encryption or decryption because the secret is not available from the master secret server

Another treasure from my blog backlog: Cannot perform encryption or decryption because the secret is not available from the master secret server. When analyzing a client environment, I noticed the existence of several warnings associated with Enterprise SSO that appear every time I try to perform operations like configuring or creating a port, import a binding and so on in the BizTalk Server Administration Console. The full error message was something like this:

SSO AUDIT

Function: GetConfigInfo ({C3BE4052-A328-4B33-A543-E29BB6BE25F7})
Tracking ID: f77a7e4f-e17d-47e7-9380-88ad8aaec935
Client Computer: computer-name (BTSNTSvc64.exe:53588)
Client User: domain\username
Application Name: {C3BE4052-A328-4B33-A543-E29BB6BE25F7}

Error Code: 0xC0002A1F, Cannot perform encryption or decryption because the secret is not available from the master secret server. See the event log for related errors.

BizTalk Server SSO: Cannot perform encryption or decryption

Cause

Normally these types of problems happen for two reasons:

Solution

The common way to solve this problem is:

  • Open a command prompt window;
  • In a command prompt, go to “C:\Program Files\Common Files\Enterprise Single Sign-On”
  • Enter “ssoConfig -restoresecret SSOxxxx.bak”, where xxxx is a BizTalk generated code
  • And finally, enter the password that was set on BizTalk installation

This will solve your problem. Of course, you mandatory need to have:

  • the SSOxxxx.bak master secret backup file;
  • and the file password;

without these, you are not able to do nothing and the only solution you will have is to configure from the scratch BizTalk Server again and lose all your existing configurations.

A second approach to solve this problem is:

  • Open the SSO Administration tool;
  • Select the option “System” under Enterprise Single Sign-on
  • And then right-click on “System” and then select “Restore Secret…” option
BizTalk Server SSO: Cannot perform encryption or decryption - SSO Administration
  • and select the master secret backup file (normally present in “C:\Program Files\Common Files\Enterprise Single Sign-On”) and type the password
BizTalk Server SSO: Cannot perform encryption or decryption - SSO Administration Properties
#1 Azure Monitoring Platform
Author: Sandro Pereira

Sandro Pereira lives in Portugal and works as a consultant at DevScope. In the past years, he has been working on implementing Integration scenarios both on-premises and cloud for various clients, each with different scenarios from a technical point of view, size, and criticality, using Microsoft Azure, Microsoft BizTalk Server and different technologies like AS2, EDI, RosettaNet, SAP, TIBCO etc. He is a regular blogger, international speaker, and technical reviewer of several BizTalk books all focused on Integration. He is also the author of the book “BizTalk Mapping Patterns & Best Practices”. He has been awarded MVP since 2011 for his contributions to the integration community.

5 thoughts on “Cannot perform encryption or decryption because the secret is not available from the master secret server”

  1. Got this error today in a dev-env
    Did a restart of the server and the error went away. Can be worth trying before restoring bak-files

      1. Each time a security update is done on the 2 BizTalk server nodes, we are facing this issue and it’s necessary to restart the SSO server or the EntSSO service. Is there a recommended order to manage Security update on High available configuration ? Thanks BR

  2. HI Sandro,

    I haven’t set the secret password. Is it necessary to setup. I am working on BizTalk application migration project from BizTalk 2013 to BizTalk 2016. While deploying the solution from VS through Microsft Deployment Framework for BizTalk I am getting this error.

    ” System.Runtime.InteropServices.COMException (0xC0002A1F): Cannot perform encryption or decryption because the secret is not available from the master secret server. See the event log (on computer ‘*****’) for related errors. ”

    Please tell me what to do.

  3. I have seen the same problem. But this is not permission issue on the Service Account noticed

    Cause:

    We have noticed that there is a difference between SSO DB, Global info table and adm_group from Management DB has the different name bother names are not in sync.

    Resolution:

    We used the below commands to update the global info table with a correct name.

    Created xml file on \Program Files\Common Files\Enterprise Single Sign-On with blow data

    NewMSSServer

    and ran command
    ssomanage -updatedb XMLFile

    Where XMLfile is newly created .xml file

    As per your confirmation we have reduce the severity of the case to B. As there were able to enable the Receive location and deploy the application

Leave a Reply

Your email address will not be published.

BizTalk360
BizTalk Server

Over 650+ customers across
30+ countries depend on BizTalk360

Learn More
Serverless360
Azure

Operate efficiently with enterprise-grade Azure monitoring,
tracing, remediation & governance in one platform

Learn More

Back to Top