Always encrypted and custom impersonation RRS feed

  • Question

  • Hi all,

    Due to some requirements, we impersonate various domain users, inside a .NET 4.6 API app, running in IIS 10, per each call.

    For example, assume that any POST will cause the controller's method to select an user (based on a query string value) and write the contents in that user's associated database.

    • Each domain user has a certificate in its own certificate store.
    • Each domain user has access to a database using trusted authentication.
    • Each database has a table whose columns are encrypted using always encrypted and the aforementioned certificates as master keys.
    • We use the "interactive" impersonation type (allegedly it should load the user's profile).

    Unless I open mmc (ran as each domain user) and open the current user's certificate store, any database call will fail with

    Failed to decrypt column 'ABC'.
    Failed to decrypt a column encryption key using key store provider: 'MSSQL_CERTIFICATE_STORE'. The last 10 bytes of the encrypted column encryption key are: 'blablabla'.
    The system cannot find the file specified.

    Can anyone offer any assistance, please?

    Thank you.

    Monday, July 16, 2018 11:31 AM

All replies

  • Hi mlaurentiu,

    Have you imported this certificate to the client's certificate store? Always Encrypted functionality requires for the user that wants to access the database to have both public AND private key.

    Besides, based on the error message, this is a permission problem, please grant the read permission on the %ALLUSERSPROFILE%\Microsoft\Crypto\RSA\MachineKeys OR C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys to the user.

    Could you please check the Windows Event Log to get more related information about this problem?

    Best Regards,


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Tuesday, July 17, 2018 2:43 AM