SQL Server 2016 Always Encrypted Timeout at Published IIS

Question

I Have strange problem when i tried to publish my asp.net mvc application to my local (pc) iis with "Always Encrypted" Enabled.

My application keep timeout when i tried to access database using EF6 at local IIS (not express) :

But if i tried to access & debug my asp.net mvc app using Visual Studio 2017, database with 'always encrypted enabled' can be accessed perfectly without timeout.

And also i can access it with SQL Management Studio without problem.

Both (SMSS & ASP.NET web config) using this configuration.

Column Encryption Setting=enabled;

Note : I'm using ASP.NET MVC 5 & EF 6, SQL Server 2016 Developer Edition.

Sorry for my bad english.

---

UPDATED : I have tried using .NET Framework Data Provider to see if there's any clue that'll help me solving this issue, Using following code :

var context = new TestDevEntities();
            StringBuilder sb = new StringBuilder();
            string connectionString = context.Database.Connection.ConnectionString;
            using (SqlConnection connection = new SqlConnection(connectionString))
            {
                connection.Open();
                using (SqlCommand cmd = new SqlCommand(@"SELECT [id],[name],[CCno]  FROM [TestDev].[dbo].[testEncCol]", connection, null, SqlCommandColumnEncryptionSetting.ResultSetOnly))
                {
                    using (SqlDataReader reader = cmd.ExecuteReader())
                    {
                        if (reader.HasRows)
                        {
                            
                            while (reader.Read())
                            {
                                sb.Append(reader[2] + ";");
                            }
                        }
                    }
                }
            }

above code show me this error :

Now, with this kind of error i know i exactly i must do :)

1. Change the identity of application pool to the 'user' who previously generated the certificate.
2. Export currentuser cert (used by always encrypted) and import to the user that you want to use as application pool identity.

Now its worked!

EF should throw some kind of error as clear as .NET Data Providers do, instead of timeout failure that really confuse me @_@

---

UPDATED (1) : Now the question is how to use it (Certificate) with default ApplicationPoolIdentity instead of custom account?

UPDATED (2) : I have done what jakub suggest, but still no luck.

Thanks

Answer 1

One way (could be the only way) to use the DefaultAppPool identity instead of a custom (user) account is to store the certificate in the Local Machine certificate store (not Current User).

Once you create a certificate in the Local Machine certificate store, you need to grant DefaultAppPool access to the cert. You can do that using Microsoft Management Console (and the plugin for Local Computer certs):

1. Right click on the cert, select All Tasks > Manage Private Keys.
2. Click Add.
3. Set location to your computer (not your domain).
4. Enter IIS AppPool\DefaultAppPool as the object name.
5. Click OK twice.