Thursday, October 10, 2013

SharePoint 2010: An error occurred during the Generate Key process

Problem

You are trying to configure a new Secure Store service target application on a SharePoint 2010 farm using Central Administration.  You are logged in as the domain administrator or under an account that has domain administration privileges or is a member of the farm administration group for your SharePoint 2010 instance.  This is a default installation, where all services and service applications were created using the wizard. You are attempting to create a new pass phrase as part of configuring a new secure store service target application.  After entering the new pass phrase, and clicking OK, you see the following error message:
Solution

This issue was resolved by using the farm administration account.  After logging in under this account, and repeating the above, I was able to successfully create a new secure store service pass phrase and configure a new secure store service target application:
Follows are the steps I took to troubleshoot this problem and the references I used to guide this effort.

Troubleshooting Checks
  1. I first checked whether the account I was currently logged in as (domain administrator) was a member of the Farm administrators group:
    When it wasn't, I added it, then again tried to configure a new target application: no success.
  2. Next, I logged in under the farm administration account (in this case Contoso\sp_farm), and then tried to configure a new target application: success. I then logged out from this account and logged back in under the domain administrator account (Contoso\administrator), and navigated to the Secure Store Service application page.  This time, the error message was different:
    This error message confirmed to me that the problem involved permissions.
  3. I wanted to probe this further and checked the Secure Store Service database role of the account I was currently logged in as (domain administrator) against that of the farm administration account:

    I then identified the differences and configured the domain administrator account (Contoso\Administrator) to have the same role as the farm administration account (Contoso\sp_farm):
    I then logged back in under the domain administrator account, and then tried to begin the process of creating a new target application: still no success.   As clean up, I removed this role from the domain administrator account.
  4. I also checked the Secure Store Service database properties:
    Note that the farm administrator account is the owner of the database files.  This further confirmed to me that the problem involved permissions.
  5. Lastly, I reviewed PowerShell commands to see if there was one that added another account to those that can create new target applications, but wasn't able to identify one that seemed to pertain to the problem.
Summary

This posting presented a fix to the problem of trying to create a new target application but experiencing the "An error occurred during the Generate Key process" error message.  Though the problem has been solved, it hasn't been resolved, as the underlying cause is still not fully understood. For example, though the problem seems to involve permissions, adding the appropriate role to an account experiencing this problem does not solve the problem and thus seems insufficient.  Thus, there must be other configuration that must also be done. If someone can point me to the appropriate reference detailing the cause of this problem, I would be grateful.
References

No comments: