Error encrypting or decrypting credentials

I ran into this error description when running the configuration wizard and according to the search engines I’m not the first one.

However I couldn’t find the solution in what was already written about this so I decided to write this blog.

How it started:
The portal I was working on had a failing application server which was no longer able to boot again. So we decided to install a new one and after installing the server we had to join it to the farm again. That’s where we ran into the problem that eventually generated the error message.

When you want to join a server to an existing farm you need the passphrase, well in this case nobody knew the passphrase anymore thinking you only need this when installing the farm right? And if there really is a problem you can change it on the fly, so what’s the problem?

Well read on.

We started changing the passphrase using powershell.

$passphrase = ConvertTo-SecureString -asPlainText –Force
Set-SPPassPhrase -PassPhrase $passphrase –Confirm

Ok, no errors. That should work right?

The next step was to run the configuration wizard again and, yes run into the error.
From the event viewer:

Source: SharePoint 2010 Products Configuration Wizard
EventID: 104

Failed to connect to the configuration database.
An exception of type System.InvalidOperationException was thrown.  Additional exception information: There was an error encrypting or decrypting credentials. Either a credential update is currently being performed, or you must update the farm account credentials on this server before you can perform this task.

The psconfig logs shows about the same error.

INF          Openning configdb so that I can join it at server sql01 database SharePoint_Config in farm mode
INF          Now joining to farm at server sql01 database SharePoint_Config
ERR         Task configdb has failed with an unknown exception
ERR         Exception: System.InvalidOperationException: There was an error encrypting or decrypting credentials. Either a credential update is currently being performed, or you must update the farm account credentials on this server before you can perform this task.

When searching for the most obvious “Cannot connect to the configuration database” you end up with checking the common things described here: http://social.technet.microsoft.com/wiki/contents/articles/6545.sharepoint-2010-cannot-connect-to-the-configuration-database-en-us.aspx

After a lot of searching I came to the conclusion that something must have gone wrong when changing the passphrase, although we did not get an error when doing so.
So I tried to change it again using the same commands as before.

$passphrase = ConvertTo-SecureString -asPlainText –Force
Set-SPPassPhrase -PassPhrase $passphrase –Confirm

Interesting, so the job was scheduled and not executed immediately.

And this is of course exactly the problem I ran into, because Central Administration is running on the application server and that is the server that crashed and we were trying to replace.

Which means that the job is never executed.

Next I tried to install Central Admin to the WFE server and ran into the exact same error.
Apparently you can’t do anything when this job is scheduled.
Because we can’t do anything using the config wizard we need to remove this job.

First let’s look if we can find this job.

Get-SPTimerJob -Identity job-admin-passphrase-change | Format-Table -Property DisplayName,Id,LastRunTime,Status

Let’s remove some information because to delete it we need the full GUID.

Get-SPTimerJob -Identity job-admin-passphrase-change | Format-Table -Property DisplayName,Id

Set job to a variable

$job = Get-SPTimerJob -id <GUID>

And delete it.

$job.Delete()

Now with the job no longer in the way we installed Central Admin to the WFE server successfully and changed the passphrase again.

This time the job was executed nicely because Central Admin was running.

Joining the new application server to the farm was running smoothly this time.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s