Always Encryption: Failed to decrypt a column encryption key using key store provider: 'MSSQL_CERTIFICATE_STORE'

c# wcf encryption always-encrypted
10,027

Solution 1

Solution to This issue is

  1. Run (MMC)
  2. Select certificate in snap console.
  3. Locate your always encrypted certificate, either My user, or Machine Account
  4. Right click-> All tasks-> Manage private key.
  5. Add the windows user which is making SQL connection.
  6. User could be the process user, it can be either IIS or any windows Logon user.

It solved my issues.

Solution 2

Ok, I found out the problem. The case was exactly this: I set always encrypted for a column using SQL Server Management Studio which started with my own account. Because i run SSMS process with my own Windows Account, it placed the certificate inside Current User / MY directory of my account. However IIS application pool is running with a different account, so it couldn' t find the certificate under my account' s CurrentUser/My directory.

I restarted the IIS application pool with the same account who started SSMS and created the certificate, and the problem gone.

Thanks

Solution 3

This can happen when you start using the database with Visual Studio or a web server on a different machine then where the Always Encrypted DB is stored.

Part of your message will be: Certificate with thumbprint '............BAE90' not found in certificate store 'My' in certificate location 'CurrentUser'.

Go to the computer where the database resides. Open the Certificate Manager.

Right click on 'Certificates - Current User' and do a find on the last few digits (in the example BAE90). User look in Field : SHA1 Hash.

Once you find the Cert then right click on it and export to file.

Open the Certificate Manager on the new Visual Studio machine and do an import of the certificate and you should be good to go.

As in the other answers, you also need to 'sync' the user in the app pool to the user where the cert has been added.

Share:
10,027
Admin
Author by

Admin

Updated on July 21, 2022

Comments

  • Admin
    Admin almost 2 years

    I am performing Always encryption in my web application, Which insert data by a WCF service which is hosted by a window service. I am getting following error while insertion of data into encrypted column.

    Failed to decrypt a column encryption key using key store provider: 'MSSQL_CERTIFICATE_STORE'. The last 10 bytes of the encrypted column encryption key are: '64-56-87-3B-EC-2E-11-9D-2A-B5'. Certificate with thumbprint 'A0D10777759BBD947EEA6F3F5D1A7989514C45F0' not found in certificate store 'My' in certificate location 'CurrentUser'. Verify the certificate path in the column master key definition in the database is correct, and the certificate has been imported correctly into the certificate location/store. Parameter name: masterKeyPath

  • tal
    tal over 6 years
    Hi, you could explain how you did it? i have the same problem
  • Alpay
    Alpay over 6 years
    @tal Please pay attention to my last sentence. Go to IIS manager / Application Pools and select your pool. Under Advanced Settings / Process Model you can change the user to the one who really 'has' the certificate.
  • tal
    tal over 6 years
    There isn't security issue with this change? because i use with windows authentication..
  • Alpay
    Alpay over 6 years
    @tal alternatively, you can run sql server management studio using the same user as in IIS pool i believe. If you run ssms with a specific user and create the certificate, it will be installed into that user' s MY directory, so that IIS will be able to find the certificate
  • Gregory Bologna
    Gregory Bologna about 4 years
    I think this worked out for you by coincidence. AppPool Identity is most likely going to be an account that doesn't have anything to do with generating keys in the database. One example may be that the app pool Identity is an Active Directory account for login authentication.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Operand type clash: varchar is incompatible with varchar(50) trying to insert in encrypted database
Encryption and Descyption issue in Flutter and C#
Encrypt a file in c# and decrypt in flutter
"Authentication failed because the remote party has closed the transport stream" for normal users
500 Server error when hosting WCF
file upload download using WCF rest
How to reduce Base64 size?
Consume a Web Service that requires WS-Security from ASP.NET 4.5 Application
The underlying connection was closed: The connection was closed unexpectedly. Data is too big?
SignalR message not being received on the client