Secure Store Service Operations In SharePoint 2016

In this article, we will walk through the creation of Secure Store Service, generation of the Key, and deletion of Secure Store Service. We will perform all these operations via Central Admin.


The Secure Store Service is an authorization service that runs on an Application Server. The Secure Store Service provides a database that is used to store credentials. These credentials usually consist of a user identity and password, but can also contain other fields that you define. For example, SharePoint Server 2013 can use the Secure Store database to store and retrieve credentials for accessing external data sources. The Secure Store Service provides support for storing multiple sets of credentials for multiple back-end systems.

Before Starting

You should make sure that the following things are ready, before you start. It will help you to create the service application flawlessly.

  • Farm Administrator Account to log into Central Admin and for creation of SSS
  • URL of the Central Admin
  • Service Account (Managed Account) which will run the app pool of Secure Store Service
  • Name of the Server where this service application will run
  • SQL Server Alias where SSS database will be provisioned
  • Name of the Database of SSS
  • Name of the application pool of SSS
  • Generation Key.


For a successful configuration of SSS, the following are the industry recommendations.

  • Use the dedicated app pool for SSS, and it should not be shared with other application.
  • Use the dedicated SQL Server or an SQL Server which should not hold the Content Databases.
  • Backup the generation key and SSS database.
  • Run the Service on the Application Server.

Create Secure Store Service

In order to create the Secure Store Service, please follow these steps.

  1. Log onto the Central Admin site with Farm administrator account, with local admin.
  2. Click on "Application Management".
  3. Click on "Manage service applications" under Service Applications.


  4. Click on "New" (top left) and in drop-down, select Secure Store Service.


  5. On this page, please enter the details

    1. Service Application Name: KS-SSS
    2. Database Server: KF-SQL
    3. Database Name: KF-SSService-Database
    4. Database Authentication: Windows Authentication
    5. Failed Over Database Server: We are using Always-ON solution, so this will be blank.
    6. Application Pool

      1. Application Pool Name: KF-SSS-AppPool
      2. Select the ID from DropDown: Krossfarm\KFSvcApp

    7. Enable Audit ( I would recommend to enable it because it will help you to audit every action [who did, what did, success etc]).

      1. Audit Log Purge: Enable
      2. Days Until Purge: 30 Days


    8. Click "OK".
    9. This shouldn’t take long. Once it is completed, you will see this -



Please check a couple of things to make sure it is successfully created. Make sure that Secure Store Service Application Proxy is part of the Default Proxy group. Also, ensure that Secure Store Service Application Instance is started on the Server.

Check for Default Proxy Group

  • On Application Management page, click on "Configure service application associations" under "Service Applications". 


  • On this page, click on the Default.


  • On this page, please make sure SSS is checked here.


Check the SSS Application Instance

  1. On the Central Admin Click on System Settings
  2. Click on Manage Services on Server under the Server


  3. On this Page make sure secure store service status is started.(If not then start it.)



Last thing, we have to create the Generation Key which is required and most important. So please store it in a safe place.

  1. Click on Application Management
  2. Click on Manager Service Applications Under Service Applications
  3. On this page click on Secure Store Service


  4. On this page you will see this Error “Before creating a new Secure Store Target Application, you must first generate a new key for this Secure Store Service Application from the ribbon.” But this happened when you visited the Secure Store Service the first time and no SSS key was present.


  5. Click on Generate New Key in the Ribbon.

  6. On Generate New Key Pop Up please enter the following

    1. PassPhrase
    2. Confirm PassPhrase
    3. Click Ok

  7. This shouldn’t take long

  8. Finally, you will see this screen



PassPhrase should be at least 8 characters and must contain combinations of uppercase, lowercase numbers and special characters.

Also make sure to store this key in a safe location, because it is not retrievable.

This completes the Creation and configuration of Secure Store Service. Next you have to use it as per your Service Application requirement i.e. Visio, Access Service etc.

Delete the Secure Store Service Application

In order to delete a Secure Store Service via Central admin please follow the steps below.

  1. Please login to the Central admin site with Farm administrator account with local admin.
  2. On Application Management, Click on Manager Service Applications Under Service Applications

  3. On this Page Highlight the Secure Store Service and Click Delete Button from Ribbon

  4. On Delete Service Application page, Check the Delete Data Associated with the Service Applications and Click Ok.

  5. This Shouldn’t take too long.


  6. Click Ok on the Successful deletion page.

  7. Now you will see SSS application is no longer on this page.


    After this Make sure that Application Pool is also deleted from IIS and Associated Database is also deleted from SQL Server. Sometimes due to unknown error SharePoint fails to remove one of the components.


Recommended Ebook

Getting Started with SharePoint Framework Development using TypeScript, PnP JS, and React JS

Download Now!
Similar Articles