Another treasure from my blog backlog: Cannot perform encryption or decryption because the secret is not available from the master secret server. When analyzing a client environment, I noticed the existence of several warnings associated with Enterprise SSO that appear every time I try to perform operations like configuring or creating a port, import a binding and so on in the BizTalk Server Administration Console. The full error message was something like this:
SSO AUDIT
Function: GetConfigInfo ({C3BE4052-A328-4B33-A543-E29BB6BE25F7})
Tracking ID: f77a7e4f-e17d-47e7-9380-88ad8aaec935
Client Computer: computer-name (BTSNTSvc64.exe:53588)
Client User: domain\username
Application Name: {C3BE4052-A328-4B33-A543-E29BB6BE25F7}Error Code: 0xC0002A1F, Cannot perform encryption or decryption because the secret is not available from the master secret server. See the event log for related errors.
Cause
Normally these types of problems happen for two reasons:
- The service account that the SSO server is running under does not have sufficient permissions to check group membership in Active Directory: https://docs.microsoft.com/en-us/biztalk/core/single-sign-on-event-11016
- Or for some reason, the master secret had somehow become corrupt and in this case, we need to restore it or reapply the master secret key.
Solution
The common way to solve this problem is:
- Open a command prompt window;
- In a command prompt, go to “C:\Program Files\Common Files\Enterprise Single Sign-On”
- Enter “ssoConfig -restoresecret SSOxxxx.bak”, where xxxx is a BizTalk generated code
- And finally, enter the password that was set on BizTalk installation
This will solve your problem. Of course, you mandatory need to have:
- the SSOxxxx.bak master secret backup file;
- and the file password;
without these, you are not able to do nothing and the only solution you will have is to configure from the scratch BizTalk Server again and lose all your existing configurations.
A second approach to solve this problem is:
- Open the SSO Administration tool;
- Select the option “System” under Enterprise Single Sign-on
- And then right-click on “System” and then select “Restore Secret…” option
- and select the master secret backup file (normally present in “C:\Program Files\Common Files\Enterprise Single Sign-On”) and type the password

Got this error today in a dev-env
Did a restart of the server and the error went away. Can be worth trying before restoring bak-files
Did you try to restart the EntSSO service first?
Each time a security update is done on the 2 BizTalk server nodes, we are facing this issue and it’s necessary to restart the SSO server or the EntSSO service. Is there a recommended order to manage Security update on High available configuration ? Thanks BR
HI Sandro,
I haven’t set the secret password. Is it necessary to setup. I am working on BizTalk application migration project from BizTalk 2013 to BizTalk 2016. While deploying the solution from VS through Microsft Deployment Framework for BizTalk I am getting this error.
” System.Runtime.InteropServices.COMException (0xC0002A1F): Cannot perform encryption or decryption because the secret is not available from the master secret server. See the event log (on computer ‘*****’) for related errors. ”
Please tell me what to do.