To enhance security the encryption algorithm used by the secure store service to save credentials has been update to a more secure version.
As a side effect credentials stored with the old algorithm can no longer be decrypted.
Symptoms
When trying to edit an existing target application or when trying to add/update credentials the following error will occur:
In the ULS will find a similar errors:
09/25/2025 16:04:49.20 w3wp.exe (0x3F68) 0x2604 Secure Store Service Secure Store efk7 High GetApplicationClaims failed with the following exception: System.ServiceModel.FaultException`1[Microsoft.Office.SecureStoreService.Server.SecureStoreServiceFault]: Group claim validation failed. (Fault Detail is equal to Microsoft.Office.SecureStoreService.Server.SecureStoreServiceFault). db35c9a1-92b5-100f-8b1a-befa4df36f07 09/25/2025 16:04:49.29 w3wp.exe (0x3F68) 0x0784 Secure Store Service Secure Store d4gq Unexpected Decrypt Failed:System.Security.Cryptography.CryptographicException: Padding is invalid and cannot be removed. at System.Security.Cryptography.CapiSymmetricAlgorithm.DepadBlock(Byte[] block, Int32 offset, Int32 count) at System.Security.Cryptography.CapiSymmetricAlgorithm.TransformFinalBlock(Byte[] inputBuffer, Int32 inputOffset, Int32 inputCount) at System.Security.Cryptography.CryptoStream.FlushFinalBlock() at System.Security.Cryptography.CryptoStream.Dispose(Boolean disposing) at System.IO.Stream.Close() at Microsoft.Office.SecureStoreService.Server.DotNetSecureStoreCryptoProvider.DecryptInternal(Byte[] crypt, Byte[] secureKey, Byte[]& decryptedData) 2894c8a1-b089-a032-1955-28aec15a115b 09/25/2025 16:04:49.29 w3wp.exe (0x3F68) 0x0784 SharePoint Foundation Runtime tkau Unexpected Microsoft.Office.SecureStoreService.Server.SecureStoreServiceException: Group claim validation failed. at Microsoft.Office.SecureStoreService.Server.SecureStoreServiceApplicationProxy.Execute[T](String operationName, Boolean validateCanary, ExecuteDelegate`1 operation) at Microsoft.Office.SecureStoreService.Server.SecureStoreServiceApplicationProxy.GetApplicationClaims(Guid rawPartitionId, String applicationId) at Microsoft.Office.SecureStoreService.Server.SecureStoreServiceApplicationProxy.GetApplicationClaims(String applicationId) at Microsoft.Office.SharePoint.ClientExtensions.SecureStoreAdministration.ManageTargetApplicationInstance.OnLoad(EventArgs e) at System.Web.UI.Control.LoadRecursive() at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) db35c9a1-92b5-100f-8b1a-befa4df36f07
Solution
My colleague Stuart Presley from the US has analyzed this issue and sent it to engineering to investigate a possible code change for a less disruptive solution for this issue.
To mitigate the issue in the current build, it is necessary to delete and recreate the affected Target Application in the Secure Store Service Application, using the same settings as originally configured.
Permalink
That worked for us – we just re-entered the credentials for each affected Secure Store Target Application, and it started working. Thank you so much.
Permalink
Hi Ian,
thanks a lot for the confirmation!
🙂
Cheers,
Stefan
Permalink
Hi Stefan,
After my DEV SP SE farm was updated to September 2025 CU I was not able to access
_admin/sssvc/ManageSSSvcApplication.aspx?
until i bound the server (machine) certificate to ‘SharePoint Web Services’ web app HTTPS protocol, port 32844.
It sems like besides the encryption algorithm, Microsoft has changed something else in Secure Store Service behavior.
I have 3 other SP SE farms that are on August 2025 CU patch level and
_admin/sssvc/ManageSSSvcApplication.aspx?
is accessible on each of them without any specific certificate bindings.
Is it just some odds that are specific to my farm, or there has really been some more changes to secure store service than just encryption algorithm?
Permalink
Hi Yuriy,
do you mean that before you were able to access it without HTTPS (pure HTTP) and now it is required to access it with HTTPS?
Cheers,
Stefan
Permalink
What if we don’t have the target app credentials? Is there anyway to retrieve?
Permalink
Hi Iam,
unfortunately not. The information is encrypted and cannot be retrieved without the proper key.
Cheers,
Stefan
Permalink
Hello, I am also facing issues about the Secure store service and it shows group claim validation failed. I am not able to edit any existing target application in SSS. This issue started after implementation of SEP 2025 CU on SP SE env. I cant set credentials for the existing target application. What could be the process if we need to recreate the same target application, do we need to update in BCS also.
Permalink
Hi Goraksh,
if you recreate them with identical settings as before, then there is no additional step required.
Cheers,
Stefan
Permalink
Hi Stefan,
Thank you for your help as always. Do you expect this issue to be resolved in the October 2025 patches?
Thanks so much!
Pat
Permalink
Hi Pat,
no, this will not be addressed in October 2025 CU.
Cheers,
Stefan
Permalink
Thank you for the additional information Stefan. Do you expect a less disruptive solution for this issue soon? We do not have access to some older credentials and therefore cannot recreate them and are unsure of how to proceed.
Permalink
Hi Pat,
the discussion on this is still ongoing.
If this is an issue for you and the workaround is not acceptable I would recommend to open a support ticket.
The more tickets we have, the higher the chance for such a solution.
Cheers,
Stefan
Permalink
This issue just impacted me this weekend when changing passwords, which we do on a routine basis. Recreating the Target Application took care of it.
Permalink
Hi Stefan, has this problem been fixed in the current CU? Best regards, Reto
Permalink
Hi Reto,
no a fix is not available.
The workaround is to recreate the Target Applications.
Cheers,
Stefan
Permalink
as an FYI, I do believe this is slated to be fixed in the March 2026 update