1

I have a table which has a couple of encrypted columns. The database and the web app are both hosted on Azure. If I run the web app locally, the code works fine and I get the decrypted data from the table as expected. However, when I publish my web app to Azure, I get timeouts when the app tries to read from the encrypted tables. Encryption keys are stored in an Azure Key Vault. I'm using Entity Framework with the "Column Encryption Settings = Enabled" setting in the connection string.

Any ideas?

Nikhil Vithlani - Microsoft
  • 797
  • 5
  • 13
Daniel D.
  • 71
  • 6
  • Any ideas? Yeah, [measure](http://rusanu.com/2014/02/24/how-to-analyse-sql-server-performance/) where is the time spent. Isolate the problem. Does it happen also w/o encryption? Did you look at any of the warnings from Azure [Query Performance Insight](https://learn.microsoft.com/en-us/azure/sql-database/sql-database-query-performance)? – Remus Rusanu May 18 '17 at 19:11
  • It doesn't happen without encryption. It doesn't happen on the rest of the tables either. Just the encrypted ones. – Daniel D. May 18 '17 at 19:20

2 Answers2

3

Turns out the latest versions of the Microsoft.IdentityModel.Clients.ActiveDirectory dll (3.X) are doing not so great when it comes to async calls. The AcquireTokenAsync method was timing out all the time.

I rolled back to a 2.X version of the dll and now it works fine. At first, I was using the AcquireToken (non async) method but when I tried the Async method as well, I found out that it also works. Apparently the problem was with the DLL all along.

More on the topic: https://github.com/Azure/azure-sdk-for-net/issues/1432

Daniel D.
  • 71
  • 6
0

What version of Azure Key Vault Provider are you using?

Older versions of Azure Key Vault Provider are known to cause this issue, can you try upgrading the provider to the latest version

Nikhil Vithlani - Microsoft
  • 797
  • 5
  • 13
  • Hi. I was using the latest version of the AKV provider and the AcquireTokenAsync method of the Microsoft.IdentityModel.Clients.ActiveDirectory namespace was apparently causing a deadlock. Problem is I wasn't using async/await all the way down. I don't really know how to do that since I'm calling this in an overriden SqlColumnEncryptionKeyStoreProvider class, which I'm adding to the SQLConnection's encryption key store providers. Downgrading the ActiveDirectory dll to an older version, which has an AcquireToken method (non async) solved my problem for now. – Daniel D. May 19 '17 at 07:40