We have a SQL Server 2016 database that employs Always Encrypted. Our recently published ASP.net web site attempts to pull data from this database, and when it does we get this error:
Error: Failed to decrypt column 'EnSSd'. Failed to decrypt a column encryption key using key store provider: 'MSSQL_CERTIFICATE_STORE'. The last 10 bytes of the encrypted column encryption key are: 'B8-48-B3-62-90-0B-1D-A6-7D-80'. Certificate with thumbprint '97B0D3A64CADBE86FE23559AEE2783317655FD0F' not found in certificate store 'My' in certificate location 'CurrentUser'. Verify the certificate path in the column master key definition in the database is correct, and the certificate has been imported correctly into the certificate location/store. Parameter name: masterKeyPath
Now we know that this means that the certificate has not been placed in the proper location on the server. During development we simply placed the certificate in the Certificates snap-in under the Personal Certificate Store, and that worked, however now that the site has been published we tried doing the same on the web server but it's not working (we kind of figured it wouldn't).
Anonymous Authentication is enabled on the site and the anonymous user identity is IUSR. ASP.NET impersonation is disabled.
Where is the proper place to put the certificate?
UPDATE - we got it to work by changing the Application Pool Identity account to the one that created the Certificate. It was also the account used when adding the certificate to the Current User-Personal list on the web server. We would rather not use this account, so again, where is the proper place to put the certificate?
IIS can't recognize the certificate from local user, while creating the certificate in SQL server, by default it's putting in to the local user store, do the following things and make sure the certificate generated under local machine -> current user certificate store
- Generate the encrypted columns with default certificates
- Undo all encrypted columns in to plain text
- Go to the certificate and key from the table security "Your DB - > Tables - > Security -> Always Encrypted Keys" and right click the "CEK_Auto 1" -> Script Column Encryption Key as -> Create to new window, keep this generated script
- Delete the CEK_Auto 1
- Do the step 3 for "CMK_Auto 1" certificate and delete this as well
- in the "CMK_Auto 1" script change the certificate path "CurrentUser" in to "LocalMachine"
- you example path will be like this "N'LocalMachine/my/G4452V8ERH035D2557N235B29MWR0SV834263G26'"
- execute the CMK_Auto 1 and CEK_Auto 1 script
- make sure the certificate generated local machine personal directory
- it will work, if not test with IIS express that means still your certificate held in local user personal directory
- rest all same make sure the "Column Encryption Setting = Enabled" added in the connection string.
Thanks
John Rajesh J
Always Encrypted requires that the user that is accessing the database to have both the public and private key, which is what it appears to require you to use the account to generate the certificate as they will have this key.
What I usually do is generate the certificate and export the cert with a private key and secure passphrase. Then import the cert with key into the personal store of the account you use to run the app pool. This cannot be a generic integrated account and must be a service account you specify.
run a powershell script as the user:
whoami
COMPUTER\myIISPoolUser
Set-Location -Path cert:\localMachine\my
Import-PfxCertificate –FilePath c:\AlwaysEncrypt.pfx
or use mmc.
whoami
COMPUTER\myIISPoolUser
certmgr.msc
You must also allow the APP Pool user load user profile
Running on IIS Express is different from running on IIS.
when we create Column Master Key (CMK) from SSMS at that time it generates Always Encrypted Certificate based on which location we have set while creating CEK.
For IIS, you have to generate certificate under MyLocalMachine, and then install certificate on hosting server with administrator rights. this will work for you.
You also need to give access of that certificate to IIS User. This can be done by right click on certificate and then click on manage primary key and add IUSR.
To all who also stumbled upon adding the certificate to a certificate storage of a custom app pool user created following other instructions such as ones from the answers on this page.
(posting as an answer since do not have enough reputation to comment)
I was able to do this via the steps below:
Run "Local User and Groups" utility.
It can be run via Win + R -> lusrmgr.msc or other way, such as searching for "Edit Local User and Groups" in the apps menu. If you have already created a custom app pool user then this step may be familliar to you.
Add the app pool user (let it be CustomAppPoolUser) to the "Administrators" group of the machine. (Actually this step might not be needed, but I used mmc.exe to manage certificates and it was required for me).
Run powershell as CustomAppPoolUser.
(Search for Powershell in apps menu, right click, "Run as different user". If there is no such line in the context menu, choose "Open file location", then press Shift + right click. If there is still no "Run as different user" line, then it may be another shortcut that you are currently looking at, so choose "Open file location" in it's context menu and repeat previous steps until you see an actual Powershell executable with "Run as different user" in it's context menu (don't forget to press Shift while invoking said menu)).
Run certmgr.msc (or mmc.exe with Current User Certificates snap-in) and import your Always Encrypted Certificate.
Go to IIS manager, ensure that the app pool has set to run as your custom app pool user and that "Load User Profile" setting is set to True.
Go to "Local User and Groups" utility and remove the user from Administrators group.
Also I've restarted after the whole process to be sure that it works as expected, but it may not be needed.
来源:https://stackoverflow.com/questions/38462367/where-does-one-place-the-always-encrypted-certificate-on-an-iis-7-5-web-server