Unable to add Server to Farm “Error during decryption”

Issue Description

As a SharePoint Administrator, you may need to remove a server from an existing Farm, then add it back to fix minor inconsistencies with the server.

When adding the server back to the Farm, you are required to enter the current Farm Passphrase.

If the current Passphrase is not known, you would logically proceed to changing it with “Set-SPPassPhrase

Now, after changing the Passphrase from an existing server, you will not be able to add the removed server back to the Farm, as it will fail with the following error.

Failed to connect to the configuration database.

This is a critical task. You have to fix the failures before you can continue.

An exception of type System.ArgumentException was thrown. Additional exception information: Error during decryption. Ensure the passphrase is correct.

To diagnose the problem, review the application event log and the configuration log file located at: C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\LOGS\PSCDiagnostics_6_29_2022_19_13_42_59_2074168582.log

If you inspect the log, you will see the following exception stack:

06/29/2022 19:15:36 8 ERR Failed to connect to the configuration database.
An exception of type System.ArgumentException was thrown. Additional exception information: Error during decryption. Ensure the passphrase is correct.
System.ArgumentException: Error during decryption. Ensure the passphrase is correct.
at Microsoft.SharePoint.Administration.SPCredentialManager.set_MasterKey(Byte[] value)
at Microsoft.SharePoint.Administration.SPCredentialManager.CreateMasterKey(Boolean generateKeyIfNeeded, SecureString sstrPassphrase, Boolean localOnly)
at Microsoft.SharePoint.Administration.SPFarm.Join(Boolean skipRegisterAsDistributedCacheHost, Nullable`1 serverRole)
at Microsoft.SharePoint.PostSetupConfiguration.ConfigurationDatabaseTask.CreateOrConnectConfigDb()
at Microsoft.SharePoint.PostSetupConfiguration.ConfigurationDatabaseTask.Run()
at Microsoft.SharePoint.PostSetupConfiguration.TaskThread.ExecuteTask()

Cause

This issue occurs because the Passphrase is encrypted and stored in the Configuration Database. Configuration Database objects (like this one) are synced to the Configuration Cache on the local server within the folder “C:\programdata\Microsoft\SharePoint\Config\<GUID>“.

So, in this scenario the encrypted Passphrase referenced in the local cache is different from what is being used in the Configuration Database.

This occurs because the server was removed from the Farm, the local Configuration Cache persisted, and the Farm Passphrase was changed.

Resolution

To resolve this issue simply delete (or rename) the outdated configuration cache folder.

Example: C:\programdata\Microsoft\SharePoint\Config.old

Then re-run the Configuration Wizard to join the server with your SharePoint Farm.

As you can see after re-running the Configuration Wizard, a new “Config” folder is created.

Now the Farm Passphrase is in sync, successfully decrypted and the installation is successful.

I hope you found this information useful and helped resolve your issue quickly.

1 Comment

Leave a Reply to AnonymousCancel reply