How to Recover Credentials from Secure Store Service in SharePoint using PowerShell?

So, the previous SharePoint administrator left without documenting SharePoint secure store Service passwords? Unfortunately, there is no way to get stored user name, passwords from SharePoint secure store service from the Central Administration site.

Recover secure store service credentials in SharePoint using powershell

No worries, let’s use PowerShell to decrypt all user names and passwords stored in SharePoint secure store service.

PowerShell to Get Credentials from Secure Store Service: 

Here is the PowerShell script to retrieve saved credentials from SharePoint Secure store.

Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue

#Any web application associated with SSS proxy application or central admin
$WebAppURL="https://intranet.crescent.com"

#Establish the Context
$Provider = New-Object Microsoft.Office.SecureStoreService.Server.SecureStoreProvider
$Provider.Context =  Get-SPServiceContext -Site $WebAppURL
 
#Get All Target Applications
$TargetApps = $provider.GetTargetApplications()
foreach ($App in $TargetApps)
{
    Write-Output $App.Name
    
    #Get the credentials for the App
    $Credentials = $provider.GetCredentials($App.Name)
    foreach ($Cred in $Credentials)
    {
        $EncryptString  = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($cred.Credential)
        $DecryptString  = [System.Runtime.InteropServices.Marshal]::PtrToStringBSTR($EncryptString)
 
        Write-Output "$($cred.CredentialType): $($DecryptString)"
    }
 }

Salaudeen Rajack

Salaudeen Rajack - SharePoint Expert with Two decades of SharePoint Experience. Love to Share my knowledge and experience with the SharePoint community, through real-time articles!

One thought on “How to Recover Credentials from Secure Store Service in SharePoint using PowerShell?

  • $WebAppURL should not be a Web application, but a site collection. For the rest it works great. Thanks.

    Reply

Leave a Reply

Your email address will not be published.