Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Status: Final
Problem
You connect to a recently deployed development SharePoint 2016 farm to view its health report and discovered the following rule violation:
| Title | The Unattended Service Account Application ID is not specified or has an invalid value |
| Severity | 2 - Warning |
| Category | Security |
| Explanation | |
| The Unattended Service Account is a single account that all documents can use to refresh data. It is required when connecting to data sources external to SharePoint, such as SQL. Without a valid Unattended Service Account Application ID, Visio Graphics Services will not be able to refresh Web Drawings that are connected to external data sources. The rule for the Unattended Service Account Application ID failed. The ID does not exist. Visio Graphics Services Application. | |
| Remedy | |
| To resolve this issue, the Visio Graphics Services administrator must provision the Secure Store Service, create a target application, and assign the ID of this target application to this setting. For more information about this rule, see "http://go.microsoft.com/fwlink/?LinkID=142617". | |
On navigating to the Manage Secure Store page, was presented with error message, Unable to obtain master key:
The lead farm administrator had already created a new master key, so this message shouldn't have been appearing. Since I needed to prepare the farm in support of upgrade and migration, began troubleshooting.
Troubleshooting
- Granted farm administrators account Full Control: navigated to the Administrators page of the Secure Store Application, granting my admin account full control of the service application. This was a test.
- Result: same message still displayed.
- Attempted to generate new master key via GUI:
Result: new message displayed:
- Granted farm administrators account Full Control over connection: navigated to the Permissions page to grant my admin account Full Control over the connection.
- Results: same message displayed (as in step 2).
- Attempted to generate new master key via PowerShell:
Result: same message displayed, now in shell:
Update-SPSecureStoreApplicationServerKey : Exception of type 'Microsoft.Office.SecureStoreService.Server.KeyManagement.InvalidMasterKeyException' was thrown. At line:1 char:1 + Update-SPSecureStoreApplicationServerKey -ServiceApplicationProxy $secureStore - ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidData: (Microsoft.Offic...cationServerKey:SPUpdateSPSecur...cationServer Key) [Update-SPSecureStoreApplicationServerKey], SecureStoreServiceException + FullyQualifiedErrorId : Microsoft.Office.SecureStoreService.PowerShellCmdlet.SPUpdateSPSecureStoreApplicationServerKey
- Removed and redeployed Secure Store Service Application: removed using PowerShell, then redeployed using PowerShell.
Result: on navigating to the Manage Secure Store page, now presented with the message:
There are no Secure Store Target Applications in this Secure Store Service Application. You can create a new Target Application from the Manage Target Applications group in the EDIT Ribbon.
This message indicated that a new master key could now be generated, and a new Secure Store target application could also be created
Solution
- If all fails, rebuild the Secure Store Service Application.