locked
CRM 2013 Cannot open Sql Encryption Symmetric Key !! RRS feed

  • Question

  • Hello,

    I have a issue with CRM 2013 "Sql Encryption Symmetric Key". FYI this following are the screen shot and error log file. 


    Error Log :

    Unhandled Exception: System.ServiceModel.FaultException`1[[Microsoft.Xrm.Sdk.OrganizationServiceFault, Microsoft.Xrm.Sdk, Version=6.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]]: System.Web.HttpUnhandledException: Microsoft Dynamics CRM has experienced an error. Reference number for administrators or support: #F9CB1452Detail: 
    <OrganizationServiceFault xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.microsoft.com/xrm/2011/Contracts">
      <ErrorCode>-2147220970</ErrorCode>
      <ErrorDetails xmlns:d2p1="http://schemas.datacontract.org/2004/07/System.Collections.Generic" />
      <Message>System.Web.HttpUnhandledException: Microsoft Dynamics CRM has experienced an error. Reference number for administrators or support: #F9CB1452</Message>
      <Timestamp>2013-12-30T14:00:18.8473198Z</Timestamp>
      <InnerFault>
        <ErrorCode>-2147187410</ErrorCode>
        <ErrorDetails xmlns:d3p1="http://schemas.datacontract.org/2004/07/System.Collections.Generic" />
        <Message>Cannot open Sql Encryption Symmetric Key because Symmetric Key password does not exist in Config DB.</Message>
        <Timestamp>2013-12-30T14:00:18.8473198Z</Timestamp>
        <InnerFault i:nil="true" />
        <TraceText i:nil="true" />
      </InnerFault>
      <TraceText i:nil="true" />
    </OrganizationServiceFault>

    I tried to recreate or change the Sql Encryption Key but not have any Resolution. is there any solution to get this fix ??? 

     Thank's 


    Vinay Kumar.




    Monday, December 30, 2013 2:10 PM

All replies

  • Hi,

    Is the organization database you are working with recently imported into this CRM2013 deployment? If so you would need to find out what the original encryption key is at the source deployment. The encryption key is required to activate data encryption when you import an organization database into a new deployment or a deployment that has had the configuration database (MSCRM_CONFIG) re-created after the organization was encrypted. Hope the following links help you in some way:

    CRM 2013 data encryption key not visible

    CRM 2013: CRM And SQL Encryption

    Data encryption in Dynamics CRM 2013



    Ronald


    • Edited by Ronald Liu Monday, December 30, 2013 6:55 PM
    Monday, December 30, 2013 6:55 PM
  • Hi Ronald,

    This was completely in place upgraded CRM 2013 from CRM 2011. I did't even touched or made any changes to MSCRM_CONFIG Bata base.

    When trying to Grabe the data encryption Key from Data Management this is the following error.


    Thank's  


    Vinay Kumar.


    Tuesday, December 31, 2013 7:15 AM
  • Hi,

    1. Did you navigate to “Settings > Data Management > Data Encryption” as a CRM system administrator before getting that error message? 
    2. Do you have SSL enabled for your CRM deployment?
    3. In your original message you said that you "tried to recreate or change the Sql Encryption Key but not have any Resolution"... How did you do that if you are not able to open Data Encryption dialog box in #1?

    Ronald

    Tuesday, December 31, 2013 5:44 PM
  • Hi Ronald,

    1) Yes i am running the CRM with Deployment Administrator. 

    2) yes we have SSL enable for our CRM deployment Manager.

    3) Yes i have created or tried to change the SQL encryption Key in Reporting Server manager but did't worked.

    In CRM the data encryption is not supporting to grab the Key, am i missing anything or do i need to reinstall the CRM 2013 again ????

    Thanks.


    Vinay Kumar.

    Thursday, January 2, 2014 7:49 AM
  • Hi,

    Three new privileges were introduced to control if a user can read, change, or activate SQL Encryption in Microsoft Dynamics CRM. By default these permissions are only granted to the System Administrator security role. Are you running CRM as Sys Admin?

    SSRS encryption has nothing to do with CRM 2013's cell level encryption. They protect two different sets of data. 



    Ronald

    Thursday, January 2, 2014 7:21 PM
  • HI Ronald,

    Thanks for the reply,

    I am Running my CRM Deployment Manager in Administrator itself, here administrator added in all security groups and roles. but still it's not working.

    From the Log Error Is : Cannot open Sql Encryption Symmetric Key because Symmetric Key password does not exist in Config DB

    Can we manually Run a query on MSCRM_CONFIG to update Symmetric Key password ??? 


    Vinay Kumar.


    Friday, January 3, 2014 11:08 AM
  • Is there anyone who have faced same situation..........????????? 

    Vinay Kumar.

    Monday, January 6, 2014 7:06 AM
  • Still its not resolved. i am not able to create new organization also.

    Vinay Kumar.

    Wednesday, January 8, 2014 9:08 AM
  • Hi,

    You cannot create a new ORG? If it is that bad, I would do a re-install.


    Ronald

    Wednesday, January 8, 2014 6:45 PM
  • Hi Ronald,

    After interaction with MS support, decided to go for re installation. But before re installation i am looking for solution that will resolve this issue with out going for re installation.  


    Vinay Kumar.

    Thursday, January 9, 2014 11:16 AM
  • Hi,

    I have no more idea. Your deployment sounds to be in a bad shape. If MSFT is telling you to re-install as well you should follow their advice.


    Ronald

    Thursday, January 9, 2014 4:04 PM
  • Vinay,

    I too encountered this issue and was able to trace the issue to the system looking for SdkMessages that were not present in the system.  I think this is a result of us participating in the CRM 2013 beta program and the database being updated during that time and using a different naming convention for the messages it' looking for.  Either way I had to dig through a number of trace logs to find the fix, but ultimately was able to resolve this issue by running the following SQL command against the impacted organizations.  Don't forget to comment out the begin/rollback transaction section after you've validated the query only updates two records.

    USE #DATABASE NAME#
    
    BEGIN TRANSACTION T1
    
      --Update Request name from 'RetrieveSqlEncryptionKey' to 'RetrieveDataEncryptionKey'
      UPDATE SdkMessageRequest
      SET Name = 'RetrieveDataEncryptionKey'
      WHERE SdkMessageRequestId = 'F4FE4B6F-E225-44AF-9B77-1281A2A7326A'
    
      --Update Request name from 'IsSqlEncryptionActive' to 'IsDataEncryptionActive'
      UPDATE SdkMessageRequest
      SET Name = 'IsDataEncryptionActive'
      WHERE SdkMessageRequestId = '6E7FAA92-ABA3-4F5D-B527-4463F0FB29EE'
    
    ROLLBACK TRANSACTION T1

    Friday, February 21, 2014 4:50 PM
  • Hi Eric,

    Sorry for the delay to reply,

    i have a doubt here, in SQL query were SdkMessageRequestid # do i need to gave the same value ?????

    Or the Id which i need to give from my data base????

    Thanks


    Vinay Kumar.

    Monday, March 10, 2014 2:16 PM
  • I have ran the Same query on the effted data base and trying to import, below is the  

    There are encrypted fields in the organization database, but the data encryption feature isn't activated. Contact your Microsoft Dynamics CRM system administrator to activate data encryption. To activate, go to Systems Settings > Data Management > Data Encryption. For more information, see http://go.microsoft.com/fwlink/?LinkId=316366.

    Is the same warning message you have experienced while importing ???


    Vinay Kumar.


    Monday, March 10, 2014 2:51 PM
  • Failed Again....!!

     This was the query i used to run 

    USE NEWMTC_MSCRM

    BEGIN TRANSACTION T1

      --Update Request name from 'RetrieveSqlEncryptionKey' to 'RetrieveDataEncryptionKey'
      UPDATE SdkMessageRequest
      SET Name = 'RetrieveDataEncryptionKey'
      WHERE SdkMessageRequestId = 'F4FE4B6F-E225-44AF-9B77-1281A2A7326A'

      --Update Request name from 'IsSqlEncryptionActive' to 'IsDataEncryptionActive'
      UPDATE SdkMessageRequest
      SET Name = 'IsDataEncryptionActive'
      WHERE SdkMessageRequestId = '6E7FAA92-ABA3-4F5D-B527-4463F0FB29EE'

    ROLLBACK TRANSACTION T1


    Log message !!!

    Unhandled Exception: System.ServiceModel.FaultException`1[[Microsoft.Xrm.Sdk.OrganizationServiceFault, Microsoft.Xrm.Sdk, Version=6.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]]: System.Web.HttpUnhandledException: Microsoft Dynamics CRM has experienced an error. Reference number for administrators or support: #083EBDAFDetail: 
    <OrganizationServiceFault xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.microsoft.com/xrm/2011/Contracts">
      <ErrorCode>-2147220970</ErrorCode>
      <ErrorDetails xmlns:d2p1="http://schemas.datacontract.org/2004/07/System.Collections.Generic" />
      <Message>System.Web.HttpUnhandledException: Microsoft Dynamics CRM has experienced an error. Reference number for administrators or support: #083EBDAF</Message>
      <Timestamp>2014-03-10T15:47:38.265134Z</Timestamp>
      <InnerFault>
        <ErrorCode>-2147187410</ErrorCode>
        <ErrorDetails xmlns:d3p1="http://schemas.datacontract.org/2004/07/System.Collections.Generic" />
        <Message>Cannot open Sql Encryption Symmetric Key because Symmetric Key password does not exist in Config DB.</Message>
        <Timestamp>2014-03-10T15:47:38.265134Z</Timestamp>
        <InnerFault i:nil="true" />
        <TraceText i:nil="true" />
      </InnerFault>
      <TraceText i:nil="true" />
    </OrganizationServiceFault>


    Vinay Kumar.

    Monday, March 10, 2014 3:54 PM
  • Vinay, you have to remove the lines 'BEGIN TRANSACTION T1' and 'ROLLBACK TRANSACTION T1' from the script otherwise, you're just rolling back the update as soon as you make it. I used this script just today and it did the trick.
    Monday, March 17, 2014 8:36 PM
  • Hi Boone,

    This is really Awesome....!!

    Still my main issue is same but thing is now i can see data exception activation key page. so  here i need to give the key and need to active. I have a doubt here do i need to give a specific key which is stored in MCRM_CONFIG data base.

    where i can find this ??????  need to give encryption key for activation...!!!

    Error Message : Cannot perform 'activate' because the encryption key doesn’t match the original encryption key that was used to encrypt the data

    Thanks,


    Vinay Kumar.



    Tuesday, March 18, 2014 12:00 PM
  • Hi,

    Is there anyone who have idea about my last query ??????

    Thanks,


    Vinay Kumar.

    Thursday, March 20, 2014 1:18 PM
  • The key can be anything you want as long as it meets the standards specified in the control. You don't need to look anything up.
    Thursday, May 8, 2014 4:19 PM
  • Did you solve this problem?  

    i modify the user infomation ,the system show  this error .

    and i see my data Encryption status is inactive and current encryption key is null.

    i want to know what is the active encryption key ?Can i key anything ?

    can u  tell me u proposal?

    thanks .

    please help me. U can contact me at MSN:zq_0234@hotmail.com.


    生命只是一瞬间

    Monday, July 14, 2014 1:34 PM
  • Hello,

    The issue with CRM encryption key, I was able to update the key with out any issues though, when I have upgraded to CRM 2016 I have strange thing while updating the key.

    Below is the error message what I have.


    Why this is keep says "key doesn’t match the original encryption key" here I am using original MSCRM_CONFIG, Same CRM BD without removing form deployment manager, Same SSL with matched thumb print.

     

    Unhandled Exception: System.ServiceModel.FaultException`1[[Microsoft.Xrm.Sdk.OrganizationServiceFault, Microsoft.Xrm.Sdk, Version=8.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]]: Cannot perform 'activate' because the encryption key doesn’t match the original encryption key that was used to encrypt the data.Detail: 
    <OrganizationServiceFault xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.microsoft.com/xrm/2011/Contracts">
      <ErrorCode>-2147187413</ErrorCode>
      <ErrorDetails xmlns:d2p1="http://schemas.datacontract.org/2004/07/System.Collections.Generic" />
      <Message>Cannot perform 'activate' because the encryption key doesn’t match the original encryption key that was used to encrypt the data.</Message>
      <Timestamp>2016-05-25T08:42:36.7596134Z</Timestamp>
      <InnerFault i:nil="true" />
      <TraceText i:nil="true" />
    </OrganizationServiceFault>

    I have tried my complete effort on this but no luck, let me know if you have any suggestions.

    Thanks,


    Vinay Kumar.


    Wednesday, May 25, 2016 8:58 AM
  • After spending 3 days time on above issue now I have got the solution.

    just wiped out user mail box password from the CRM !!

    Cheers...


    Vinay Kumar.

    Monday, May 30, 2016 5:01 AM
  • Hi there,

    I sorted out this issue by flushing all existing passwords as below(On-Premise):

    Issue:

     Error Message : Cannot perform 'activate' because the encryption key doesn’t match the original encryption key that was used to encrypt the data

    Solution:

    use Organization_MSCRM
    update EmailServerProfile set IncomingPassword = null
    update EmailServerProfile set OutgoingPassword = null
    update Mailbox set Password = null
    update Queue set EmailPassword = null
    update UserSettings set EmailPassword = null

    Cheers,

    Friday, October 7, 2016 8:20 AM
  • Hi,

    You should have a backup of the original 2011 implementation. You will need to spin that up again somewhere. Set up https (ie port 443) then go and look at the key in CRM2011.

    Copy that key to the CRM2013 instance and you should be good to go.

    regards,

    Donald

    Monday, October 17, 2016 12:20 PM