We have a SQL Server 2016 database that uses Always Encrypted. Our recently published ASP.net website is trying to retrieve data from this database, and when that happens we get this error:
Error: Failed to decrypt column 'EnSSd'. Failed to decrypt a column encryption key using key store provider: 'MSSQL_CERTIFICATE_STORE'. The last 10 bytes of the encrypted column encryption key are: 'B8-48-B3-62-90-0B-1D-A6-7D-80'. Certificate with thumbprint '97B0D3A64CADBE86FE23559AEE2783317655FD0F' not found in certificate store 'My' in certificate location 'CurrentUser'. Verify the certificate path in the column master key definition in the database is correct, and the certificate has been imported correctly into the certificate location/store. Parameter name: masterKeyPath
Now we know that this means that the certificate was not placed in the right place on the server. During development, we just placed the certificate in the "Certificates" snap-in in the "Personal certificate store", and it worked, but now that the site was published, we tried to do the same on the web server, but it does not work (we kind of understood will not be).
Anonymous authentication is enabled on the site, and the anonymous user ID is IUSR. ASP.NET ignore is disabled.
Where is the place to place the certificate?
UPDATE - we made it work by changing the application pool identifier account to the one that created the certificate. This is also the account used to add the certificate to the Current User Personal list on the web server. We would prefer not to use this account, so again, where is the place to place the certificate?
source
share