SharePoint - Error encrypting or decrypting credentials

Fri, Nov 24, 2017 4-minute read

I recently talked about the method for updating the SharePoint passphrase.

Whilst this did ‘work’ I suffered a slightly unfortunate consequence - which may or may not affect you. (I’m guessing if you’re here, then you’re facing a similar issue.)

As part of what I had been doing, I had changed the Farm Account password. I did this in AD and then manually changed the credentials in IIS and Services.msc for e.g., the Timer service and all other places that I thought it needed changing. However, I did NOT change it in Central Admin for the Managed Account itself.

I then ran the passphrase reset which resolved the other issue for me.

But I then started hitting some issues where the Farm Account (also the account for some IIS App Pools etc.) was unable to login to various things (downstream systems). Realising my error, I went to then try and set the Managed Account password to the new password in Central Admin. And it failed:

There was an error encrypting or decrypting credentials. Either a credential update is currently being performed, or you must update the farm account credentials on this server before you can perform this task.

It didn’t matter if I did this through the UI or via Powershell (using stsadm -o updatefarmcredentials), same thing every time.

Clearly I had a rage-first moment - “you must update the farm account credentials before you can update the farm account credentials” !! Thanks again, SharePoint. I then set about trying to find out what was causing this and could find nothing that was exactly the same. Lots of information around it and some wayward sounding suggestions. Like recreate the Config DB, check the logs, rebuild your farm and so on.

One thing that came up a few times was look for and delete a timer job called ‘Administration Application Pool Credential Deployment’. I didn’t have such a thing. I did have a few jobs that were ‘domain\user password change event’ with a frequency of One-Time. I deleted these with no success. I stopped the timer service, and cleared the cache. Still no joy. I started digging through the Config DB but quickly abandoned this idea because even if I found the encrypted password, I’d still need to figure out how to decrypt it. And I’ve learnt the hard way that mucking about in the SP databases is a very bad idea.

And obviously I restarted a few times. Always worth a shot.

The cause of the issue seemed pretty obvious to me - the password for the farm account is stored in the Config database in an encrypted format. It is presumably encrypted with the passphrase in some way. So of course given that the password and passphrase had changed (in that order), but SharePoint didn’t really know about this, decrypting the old value was an issue.

Then it occurred to me - why not change the passphrase again, and then change the password again! So I tried this… and it failed. BUT it gave me a new error message:

Set-SPPassPhrase : Error deploying administration application pool credentials. Another deployment may be active. An object of the type Microsoft.SharePoint. Administration.SPMasterPassphraseDeploymentJobDefinition named “job-admin-passphrase-change” already exists under the parent Microsoft.SharePoint.Administration.SPTimerService named “SPTimerV4”. Rename your object or delete the existing object.

So actually essentially the same error message as before, but this time with more detail. And looking through the list of timer job definitions - I found a new one. ‘Master Passphrase Deployment’, again with a frequency of One Time. By deleting this job, I was then actually able to successfully change the Farm Account password.

This may help you. But the moral of the story is - if you need to change your Farm Account password, do it in Central Administration first in the Managed Accounts area. This is, after all, what it’s designed for.