SSAS 2022 Gen2 Crypto Key Errors

Introduction

 

 

Symptoms

You may encounter these errors during a Kepion deployment or following a service account change:

• SSAS 2022 fails to start.

• Event logs or msmdsrv.log contain messages such as:

Errors in the encryption library: Failed to decrypt sensitive data...


Possibly the encryption key does not match or is inaccessible...


system error code=-2146893819

 

• You may also see:

Successfully generated server Gen2 cryptokey file...

Service cannot be started...

Any of the existing databases that use server Gen2 cryptokey will have their cryptkeys corrupt. 

 

 

About the issue

This issue is specific to SSAS 2022 CU1 and later, where Microsoft implemented Gen2 keys. Unlike Gen1 encryption, Gen2 keys:

• Are non-portable across service accounts or machines.

• Enforce strict bindings to:

  • The SSAS service account

  • The local machine profile

  • The encryption context (instance/database/connection)

As a result, any mismatch due to account changes, VM image inconsistencies, or configuration issues may break decryption, even if SSAS starts.

 

Potential causes

Several potential contributing factors have been observed that may be causing this issue:

• Modifying DeploymentMode in msmdsrv.ini (unsupported by Microsoft).

• Using SQL Server 2022 Azure VM images with preinstalled but invalid SSAS configurations.

• Attaching databases from instances with a different Gen2 key lineage.

• Changing the SSAS service account without backing up/restoring encryption keys.

• Missing or incorrect <Gen2ServerKey> tag in msmdsrv.ini.

These scenarios can lead to decryption failures of data sources, connection strings, or configuration values, even in environments where no changes were knowingly made by the administrator.

 

Persisting encrypted values

Even after removing the database or cleaning the Data directory, encrypted values may remain in:

• msmdsrv.ini

• Other configuration XML files in the Config directory

• The service account's local user profile folder. It is commonly located in the following path:

C:\Users\<SSASServiceAccount>\AppData\Local\Microsoft\Microsoft SQL Server\130\CryptKey\

 

 

Resolution 1: Consider downgrading to SSAS 2019

If your environment and Kepion solution requirements allow it, we recommend downgrading only the Analysis Services (SSAS) component to SSAS 2019. This issue affects SSAS exclusively and does not impact the SQL Server database engine.

 

SSAS 2019 does not use Gen2 encryption keys, so it is not affected by the decryption and configuration issues introduced in SSAS 2022 CU1 and later. Downgrading SSAS helps avoid:

• Complex Gen2 key regeneration

• Strict service account bindings

• Irreversible encryption schema upgrades

 

Note: You can continue using SQL Server 2022 for the database engine while running SSAS 2019 in parallel.

 

Note: Before downgrading, ensure your solution does not rely on features exclusive to SSAS 2022.

 

 

Resolution 2: Reset encrypted values in SSAS 2022

If downgrading to SSAS 2019 is not an option, follow these steps to reset the SSAS 2022 instance, remove any remaining encrypted values, and allow it to generate a fresh Gen2 cryptographic key. This helps bypass decryption errors caused by invalid or mismatched key references.

 

Steps

1. Stop the SSAS Service

 

Option A: Stop the SSAS via Services UI

 

Option B: via PowerShell script

Stop-Service -Name "MSOLAP$YourInstance"

 

2. Rename the SSAS Data Directory to Backup
 

This prevents SSAS from trying to load corrupted or encrypted data.

The Data Directory is the folder defined in the SSAS configuration as the location for database storage

 

Common path examples:

• C:\Program Files\Microsoft SQL Server\MSAS16.InstanceName\OLAP\Data
• G:\SSAS\Data

 

Please adjust your path:

Rename-Item "C:\Your\Actual\Data\Path" -NewName "Data_Backup_$(Get-Date -Format yyyyMMddHHmmss)"

 

 

3. Remove Encrypted Password Tags in msmdsrv.ini
 

• Navigate to your instance's config directory:

The path is generally the following

C:\Program Files\Microsoft SQL Server\MSAS16.InstanceName\OLAP\Config\

• Open msmdsrv.ini with a text editor (e.g., Notepad++ or Visual Studio Code).
• Locate and delete any <Password> or other encrypted tags. Encrypted values often look like this:

<DataSources>
  <DataSource>
  ...
  <Password>EncryptedDataStart...EncryptedDataEnd</Password>
  ...
  </DataSource>
</DataSources>

 

Remove only the full line or block that contains the encrypted <Password> node, and leave other configurations intact.

 

Example:

<Password>EncryptedDataStart...EncryptedDataEnd</Password>

 

Note: These entries must be removed to avoid referencing undecryptable values.

 

4. Clear Per-User Crypto Cache (Optional) 

For a fully clean reset, delete the entire CryptKey folder for the SSAS service account profile to remove old cached keys

 

C:\Users\<SSASServiceAccount>\AppData\Local\Microsoft\Microsoft SQL Server\130\CryptKey\

 

 

5. Restart SSAS 

 

Option A: Start SSAS via Services UI

 

Option B: Start SSAS in PowerShell 

Start-Service -Name "MSOLAP$YourInstance"

 

On restart, SSAS should:

• Generate a new Gen2 crypto key
• Skip any legacy encrypted configuration

• Start successfully

 

How to verify

Open the log file, typically located at:

C:\Program Files\Microsoft SQL Server\MSAS16.InstanceName\OLAP\Log\msmdsrv.log

 

Look for lines like:

Successfully generated server Gen2 cryptokey file, key version=6
Service started

 

Also validate:

• SSAS starts without errors
• Kepion application loads and processes as expected
• You can connect via SQL Server Management Studio (SSMS)

 

Best practices for Kepion service account changes

Before changing the SSAS service account, always back up the encryption keys.
 

In SSMS:

• Right-click the SSAS instance → Properties

• Navigate to Encryption

• Click Back Up…

 

Note: Save the .bak file securely. You'll need this if you restore the original configuration.

 

References

• Microsoft Docs - Encryption Key Upgrade Behavior
• Determine the server mode of an Analysis Services instance