FIX: Error – We experienced issues in connecting to Azure – While using SSMS to configure Always Encrypted feature using Azure Key Vault
Posted by blakhani on July 21, 2017
I have come across a situation where I was trying to configure Always Encrypted feature using SSMS. I was trying to use Azure Key Vault to configure it but getting an strange error. Here are few link which you can use to read more about the subject.
https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/always-encrypted-wizard
https://blogs.msdn.microsoft.com/sqlsecurity/2015/11/10/using-the-azure-key-vault-key-store-provider-for-always-encrypted/
If we click on “Details” then we would see below:
Here is the text of the error message. Note that you might see “Backup” or “Restore” instead of Recover below.
TITLE: We experienced issues in connecting to Azure
—————————–
We experienced issues in connecting to Azure
——————————
ADDITIONAL INFORMATION:
Recover (Microsoft.SqlServer.Management.ServiceManagement)
——————————
BUTTONS:
OK
——————————
If we click on “Show Technical Details” icon, we see below stack.
Program Location:
at Microsoft.SqlServer.Management.ServiceManagement.ResourceManagement.AzureKeyVaultKeyPermissionEnumConverter.ReadJson
at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.DeserializeConvertable
at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.PopulateList
at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.CreateList
at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.CreateValueInternal
at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.SetPropertyValue
at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.PopulateObject
at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.CreateObject
at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.CreateValueInternal
at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.SetPropertyValue
at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.PopulateObject
at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.CreateObject
at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.CreateValueInternal
at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.PopulateList
at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.CreateList
at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.CreateValueInternal
at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.SetPropertyValue
at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.PopulateObject
at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.CreateObject
at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.CreateValueInternal
at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.SetPropertyValue
at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.PopulateObject
at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.CreateObject
at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.CreateValueInternal
at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.Deserialize
at Newtonsoft.Json.JsonSerializer.DeserializeInternal
at Newtonsoft.Json.JsonConvert.DeserializeObject
at Newtonsoft.Json.JsonConvert.DeserializeObject[T]
at Microsoft.SqlServer.Management.ServiceManagement.ResourceManagement.AzureKeyVaultMethods.GetAzureKeyVault
at Microsoft.SqlServer.Management.ServiceManagement.ResourceManagement.ResourceManagement.GetAzureKeyVault
at Microsoft.SqlServer.Management.AlwaysEncryptedCommonControl.ColumnMasterKeyStoreCommonControl.AzureKeyVaultComboBox_SelectedValueChanged
at System.Windows.Forms.ListControl.OnSelectedValueChanged
at System.Windows.Forms.ComboBox.OnSelectedValueChanged
at System.Windows.Forms.ComboBox.OnSelectedIndexChanged
at System.Windows.Forms.ComboBox.set_SelectedIndex
at Microsoft.SqlServer.Management.AlwaysEncryptedCommonControl.ColumnMasterKeyStoreCommonControl.SetAdalCredential
at Microsoft.SqlServer.Management.Azure.UI.CommonUserControl.OnSessionLoggedInEventSet
at Microsoft.SqlServer.Management.Azure.UI.CommonUserControl.AuthenticateUser
If you are a geek then you can understand that SSMS is trying to get values in the Combo boxes. If there is a working subscription, then we can see that there are two combo boxes there, Subscriptions name(s) and Key Vault name(s).
RESOLUTION
- Login to portal using the same account which you are using in SSMS.
- Go to “Key vaults”
- Look for existing Key vaults defined.
- Go to “Access policies” blade.
- Choose the user.
As per documentation” To generate a column master key in the Azure Key Vault, the user must have the WrapKey, UnwrapKey, Verify, and Sign permissions to the key vault. Users might also need the Get, List, Create, Delete, Update, Import, Backup, and Restore permissions:
- Once we click on user, I selected below permissions.
- Under Key Permission (12 selected)
Key Management Operations: Get, List, Update, Create, Import, Delete, Backup, Restore
Cryptographic Operations: Unwrap Key, Wrap Key, Verify, Sign - Under Secret permissions(0 Selected)
"Secret Management Operations" : None
Make sure UI looks like below
The error message in SSMS might say “Backup” or “Restore” or “Recover” based on what we select under “Secret permissions” There should be NONE selected from there.
After setting permissions as above make sure you use “save” button to make changes. Hitting OK on previous screen doesn’t make the changes.
You have to check other Vaults also to make sure those settings are not there.
I was able to move forward in the wizard and configure Always Encrypted using Azure Key Vault.
Hope this helps.
Help: SQL Server 
Leave a Reply