Failed to decrypt a column encryption key using key store provider: 'MSSQL_CERTIFICATE_STORE'.The last 10 bytes of the encrypted column encryption key are: '57-C6-CB-21-3D-6C-CF-55-C6-61'. The system cannot find the file specified.

_{Wednesday, January 10, 2018 2:06 PM}

Hi,

We are working on the "Always Encrypted" feature in the SQL 2016 db to perform the deterministic encryption on one subscription with few columns.  

We have copied and imported the certificate from the database server over to the Web Server.

But sometime when we try to login with Encrypted customers, it throws the mentioned Error. 

Failed to decrypt column 'Email'.

Failed to decrypt a column encryption key using key store provider: 'MSSQL_CERTIFICATE_STORE'. The last 10 bytes of the encrypted column encryption key are: '57-C6-CB-21-3D-6C-CF-55-C6-61'. The system cannot find the file specified.

Please suggest.

R,

Abhishesh Pandey 

_{Thursday, January 11, 2018 2:18 AM}

Hi Abhishesh,

>> But sometime when we try to login with Encrypted customers, it throws the mentioned Error.

Can I understand that this problem is discontinuous, sometimes it works normally? What about the login, does this problem only occur on some specified logins? 

>> Failed to decrypt a column encryption key using key store provider: 'MSSQL_CERTIFICATE_STORE'. The last 10 bytes of the encrypted column encryption key are: '57-C6-CB-21-3D-6C-CF-55-C6-61'. The system cannot find the file specified.

Please check SQL Server error log and Windows Event log to get related information, please make sure the certificate must be deployed to the store and the location, specified in the key path, and its thumbprint must match the thumbprint specified in the key path.

Best Regards,

Teige

MSDN Community Support
Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

_{Thursday, January 11, 2018 5:59 AM}

Hi Teige,

Thanks. 

Surprisingly, Have not done any changes, but able to login this time. we are not getting continuously this issue but still seems some issue with server config or something we have missed.  

Need to know how to find the root cause of this?  because we are going to handover this subscription to client, Not getting confidence whether we have missed any thing. 

In Error log, we are getting above message. posted in my question. 

Please suggest. 

R,

Abhishesh Pandey  

_{Friday, January 12, 2018 9:18 AM}

Hi Abhishesh,

As mentioned in this blog https://blogs.msdn.microsoft.com/sqlsecurity/2015/07/06/always-encrypted-key-metadata/, always encrypted is a complex process, we will need to use two tools: SQL Server Profiler and Wireshark to capture the process.

Based on the above evidence, client failed to get the column master key based on the path provided by SQL Server, you did not get a permission error from Windows Event log, I think this problem is caused by that SQL Server provide a wrong file path, this problem is more related to the network or some timeout configuration in server which has caused the package broken.

Best Regards,

Teige

MSDN Community Support
Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

_{Saturday, January 13, 2018 12:27 PM}

Hi,

Have tried to Encrypt new customer, now not able to login again. 

Certificate with thumbprint '462AF4BB2FB9B974D7AE21FE6AD65E61A7572361' not found in certificate store 'My' in certificate location 'CurrentUser'. Verify the certificate path in the column master key definition in the database is correct, and the certificate has been imported correctly into the certificate location/store. Parameter name: masterKeyPath.

Getting this error.

Is there any link OR steps with screen shot which will guide me to do certificate installation at the right path?

Please suggest.

R,

Abhishesh Pandey

_{Monday, January 15, 2018 11:06 AM}

Hi,

We have two subscription hosted on one Database, We have encrypted both databases with "Always Encryption" using deterministic concept with same CEK and CMK .

But one subscription is working fine whereas while trying to login with different subscription, i am getting mentioned Error. 

Attached Error Html file for reference .

Please suggest.

R,

Abhishesh Pandey 

_{Tuesday, January 23, 2018 9:09 AM}

Hi Abhishesh Pandey,

Do you want this one: https://www.mssqltips.com/sqlservertip/4814/exporting-and-importing-sql-server-always-encrypted-certificates-for-client-access/

Please click Windows+R -> mmc.exe, then click file menu, Add/Remove Snapin -> Certificates snapin, you will now be prompted to point to the Machine certificate store, a service account store, or your individual user account's store. Each has a Personal "folder", add them and click Ok, after that, in the left pane, you will see Certificates - Current User. Please refer to this case: https://forums.iis.net/t/1232405.aspx

Best Regards,

Teige

MSDN Community Support
Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.