Encryption user error

David Chase 681

I was trying one last test of Always Encrypted and this time I got the error "The reverse engineering operation cannot continue because you do not have View Definition permission on the database."
This is my 2nd attempted test as the first one worked perfectly. I could not finf View Definition in the user security options. Any ideas?

Accepted answer

Erland Sommarskog 100.8K Reputation points MVP

2020-12-24T10:34:47.353+00:00

Explain what? What a service account is? You log on to the machine which runs SQL Server and IIS as DOMAIN\Admin or whatever. You run the Always Encrypted wizard, and the certificate ends up in the certificate store of DOMAIN\Admin.

However, the web server does typically not run as DOMAIN\Admin, but some other account. I have feeling that IIS typically as as Local Service, but I know very little about IIS, and you may be better off asking in a forum for IIS (if that is the web server you are using) for details. I googled around, and I found https://stackoverflow.com/questions/38462367/where-does-one-place-the-always-encrypted-certificate-on-an-iis-7-5-web-server. There are two solutions suggested. The first one may be the simpler one, but I don't like it from a security standpoint, so I would suggest that you try the second.

I don't know if you have made your initial tests with IIS Express, but this is different. IIS Express runs in your user space, so in this case, it will find your personal certificate store.
Please sign in to rate this answer.
David Chase 681 Reputation points

2020-12-24T14:19:59.643+00:00

Thank you. I'll give this a try. Happy Holidays!
Sign in to comment

6 additional answers

Robbie Varn 346 Reputation points

2020-12-21T16:07:20.333+00:00

The View Definition permission is in the database properties under the explicit tab near the bottom.
Please sign in to rate this answer.
David Chase 681 Reputation points

2020-12-21T16:58:27.15+00:00

That worked but when I went through the encryption wizard and go to the last step I get the error below.

Dec 21 2020 11:52:36 [Informational] TaskUpdates: Message:Task: 'Generate new column master key CMK_Auto1 in Windows certificate store CurrentUser' -- Status: 'Failed' -- Details: 'Task failed due to following error: User does not have permission to perform this action.
Changed database context to 'kdctest'.'.
Sign in to comment
Erland Sommarskog 100.8K Reputation points MVP

2020-12-21T22:24:51.793+00:00

If you did not have VIEW DEFINITION, there may be more permissions you are missing. I don't recall on the top of my head what permission you need here, but for that kind of operation, you would typically have to be in the db_ddladmin or db_owner role. And since you apparently were able to grant VIEW DEFINITION, you appear to have access to an account with sufficient permissions, so why not use that?
Please sign in to rate this answer.

0 comments No comments
Sign in to comment
David Chase 681 Reputation points

2020-12-21T22:54:07.583+00:00

Just strange to me that a test last week on the same database worked fine. I will try the additional permissions.
Please sign in to rate this answer.
Erland Sommarskog 100.8K Reputation points MVP

2020-12-21T22:59:22.397+00:00

I guess that you ran with the appropriate credentials at that occasion.

David Chase 681 Reputation points

2020-12-21T23:15:11.74+00:00

Never changed the credentials.
Sign in to comment
CathyJi-MSFT 21,081 Reputation points Microsoft Vendor

2020-12-22T03:14:40.363+00:00

Hi @David Chase ,

> The reverse engineering operation cannot continue because you do not have View Definition permission on the database.

There are four permissions for Always Encrypted:

• ALTER ANY COLUMN MASTER KEY (Required to create and delete a column master key.)
• ALTER ANY COLUMN ENCRYPTION KEY (Required to create and delete a column encryption key.)
• VIEW ANY COLUMN MASTER KEY DEFINITION (Required to access and read the metadata of the column master keys to manage keys or query encrypted columns.)
• VIEW ANY COLUMN ENCRYPTION KEY DEFINITION (Required to access and read the metadata of the column encryption key to manage keys or query encrypted columns.)

Refer to MS document Always Encrypted.

Suggest you selecting the db_owner role for the user to resolve your issue.

Best regards,
Cathy

If the response is helpful, please click "Accept Answer" and upvote it, thank you.
Please sign in to rate this answer.
David Chase 681 Reputation points

2020-12-22T19:02:05.017+00:00

OK, I made the login user the db_owner and the encryption completed successfully. However, when I go to use it in our asp.net web app I get the error below. The web app connects as the same user credentials that I used to setup encryption.

Message: Failed to decrypt column 'FirstName'.
Failed to decrypt a column encryption key using key store provider: 'MSSQL_CERTIFICATE_STORE'. The last 10 bytes of the encrypted column encryption key are: '23-D1-D8-35-E5-03-0A-40-AA-D7'.
Certificate with thumbprint '9E2D57BB2B3D3EADCAF0B420C2E6859CE58341AA' not found in certificate store 'My' in certificate location 'CurrentUser'. Verify the certificate path in the column master key definition in the database is correct, and the certificate has been imported correctly into the certificate location/store.
Parameter name: masterKeyPath

Erland Sommarskog 100.8K Reputation points MVP

2020-12-22T21:58:01.323+00:00

This problem appears to be entirely unrelated to your original question. It seems that you have not deploy to the certificate store of the service account for the web server.

CathyJi-MSFT 21,081 Reputation points Microsoft Vendor

2020-12-23T07:37:02.927+00:00

Hi @David Chase ,

> Certificate with thumbprint '9E2D57BB2B3D3EADCAF0B420C2E6859CE58341AA' not found in certificate store 'My' in certificate location 'CurrentUser'.

The certificate must be stored in either machine’s cert store, or the cert store of the account where the web application is running under.

You can try to export and import SQL Server Always Encrypted Certificates follow this blog to resolve your issue.

Best regards,
Cathy

David Chase 681 Reputation points

2020-12-23T14:34:34.18+00:00

Ok, I redid the encryption and selected "Local Machine" for the master key source. Since the server is both the SQL Server AND the web server I did not think that I needed to export/import because the machine is serving both roles and I need to simply decrypt for the web app. However, after recreating the encryption I get the error below when accessing the web app.

Message: Failed to decrypt column 'FirstName'.
Failed to decrypt a column encryption key using key store provider: 'MSSQL_CERTIFICATE_STORE'. The last 10 bytes of the encrypted column encryption key are: '9C-66-AC-57-51-50-53-85-BD-D9'.
Keyset does not exist

p.s. we are using sql login user to setup the certificate and also to connect to sql server.

Erland Sommarskog 100.8K Reputation points MVP

2020-12-23T17:00:03.147+00:00

So that sql login you added to db_owner was the login the application runs under? Take it out of db_owner! Application logins should not run with elevated permissions.

And there is little reason to use that login to set up encryption. That would typically be done from your personal account - which presumably is at least db_owner.

The SQL login does not have any certificate store, but that is for the Windows users that runs the application, that is, in this case, the service account for the web server. Keep in mind that encryption/decryption occurs outside SQL Server in the realm of the client (i.e. the web server.)

The blog post that Cathy posted a link to seems useful.

David Chase 681 Reputation points

2020-12-23T18:14:36.06+00:00

This web and sql is on a hosted server so I have no "personal account". I login as administrator. Our web application connection string connects using an sql server user account named "David". I was told to make the database user "David" a db_owner so I could do the encryption (see Cathy post further up). This whole certificate thing is confusing to a web developer like me as I have tried so many iterations it is making my head spin. The encryption wizard is easy enough to do but then I keep getting errors related to the certificate every time.
Sign in to comment