Resolved: Group Claim Validation Fails in SharePoint Server When Editing Secure Store Target Application After September 2025 CU
The September 2025 CU for SharePoint Server Subscription Edition included a security enhancement for the encryption algorithm used by the Secure Store Service to save credentials. This could cause group claim validation failures when editing target applications.
Introduction
Hello, Fiboo readers,
Today, we're tackling a critical issue, especially for those using SharePoint Server Subscription Edition and who have applied the September 2025 Cumulative Update (CU). This CU introduced a significant change in how the Secure Store Service stores credentials, which, in some cases, leads to group claim validation failures. In this article, we’ll dive into what this issue is, why it happens, and how you can resolve it.
The September 2025 CU included a security enhancement to the encryption algorithm used by the Secure Store Service to store credentials. This was intended to make credential storage more secure. However, a side effect of this change is that credentials stored with the old encryption algorithm can no longer be properly decrypted. This leads to problems, particularly when you try to edit existing target applications or update credentials.
Symptoms of the Issue
The most obvious symptom of this issue is an error message when you try to edit a Secure Store target application or add new credentials. The error message typically indicates that group claims cannot be validated. This prevents the target application from functioning correctly and can restrict user access to certain resources.
For example, when you try to edit a target application, you might see an error like this:
Group claim validation failed.This error indicates that the Secure Store Service cannot properly validate group claims. This is especially common for target applications that use Active Directory groups.
Causes of the Issue
The root cause of this issue is the encryption algorithm change introduced in the September 2025 CU. This change prevents the Secure Store Service from properly decrypting credentials stored with the old algorithm. This can lead to problems in the following scenarios:
- You upgraded from an older version of SharePoint Server and then applied the September 2025 CU.
- You have been using the Secure Store Service for a long time, and older credentials still exist.
- Your target applications use Active Directory groups.
In these scenarios, the Secure Store Service cannot properly validate the old credentials, leading to group claim validation errors.
Solutions
There are several approaches to resolving this issue. Here are some of the most effective solutions:
1. Re-encrypt Credentials
The simplest solution is to re-encrypt the credentials for the affected target applications. This forces the Secure Store Service to re-save the credentials using the new encryption algorithm. To re-encrypt the credentials, follow these steps:
- Open SharePoint Central Administration.
- In the "Application Management" section, click "Manage Service Applications."
- Find and click the Secure Store Service application.
- Find the affected target application and edit it.
- Update or re-enter the credentials.
- Save the changes.
These steps force the Secure Store Service to re-encrypt the credentials using the new algorithm. However, the downside of this solution is that you must repeat this process for each affected target application.
2. Re-encrypt Credentials Using PowerShell
If you have multiple target applications, using PowerShell to re-encrypt the credentials can be a more efficient solution. The following PowerShell script re-encrypts the credentials for all target applications:
# Get the Secure Store Service application
$secureStore = Get-SPServiceApplication | Where-Object {$_.TypeName -eq "Secure Store Service"}
# Get all target applications
$targetApplications = Get-SPSecureStoreTargetApplication -ServiceApplication $secureStore
# Re-encrypt the credentials for each target application
foreach ($targetApplication in $targetApplications) {
Write-Host "Target Application: $($targetApplication.Name)"
$targetApplication.Update()
}
To run this script, follow these steps:
- Open the SharePoint Management Shell.
- Copy and paste the script above.
- Run the script.
This script re-encrypts the credentials for all target applications and automatically resolves the issue.
3. Clear Old Credentials
In some cases, clearing old credentials can also resolve the issue. This forces the Secure Store Service to remove old and invalid credentials. To clear old credentials, follow these steps:
- Open SharePoint Central Administration.
- In the "Application Management" section, click "Manage Service Applications."
- Find and click the Secure Store Service application.
- Click "Manage Credentials."
- Find and delete the old and invalid credentials.
These steps force the Secure Store Service to clear the old credentials and can resolve the issue.
Preventive Measures
To prevent this issue in the future, you can take the following preventive measures:
- Regularly update your SharePoint Server.
- Regularly audit the Secure Store Service and clear old credentials.
- Be careful when using Active Directory groups and regularly check group memberships.
These preventive measures ensure that the Secure Store Service functions correctly and prevent future issues.
Conclusion
The encryption algorithm change in the September 2025 CU can affect the proper functioning of the Secure Store Service in SharePoint Server. However, the solutions and preventive measures described in this article can help you resolve this issue and prevent it in the future. Remember, regular updates and audits are critical to ensuring the security and performance of your SharePoint Server.
I hope this article has been helpful. If you have any questions or comments, please feel free to share them in the comments section below.
Have a great day!
Kadim Karakuş
Fiboo Microsoft Solutions Expert
Further Reading
You might also be interested in the following articles: