1

I'm in my way to use Always Encrypted on an existing .Net Framework 4.8 WebApi codebase. The solutions runs locally (for development) on IIS on ApplicationPoolIdentity (Windows 10).

I've set up a sql query which accesses a SQL Server database with an encrypted column.

I'm using VisualStudioCredential locally to access the key vault.

Running the same code from a simple console app works, but when running on IIS VisualStudioCredential cannot access the token provider file under C:\WINDOWS\system32\config\systemprofile\AppData\Local.IdentityService\AzureServiceAuth\tokenprovider.json.

Indeed this file does not exists, it does exists in C:\Users\<my-username>\AppData\Local.IdentityService\AzureServiceAuth.

It tried running the pool under my own identity, but then it search the file C:\WINDOWS\system32\config\systemprofile\AppData\Local.IdentityService\AzureServiceAuth\tokenprovider.json which does not exists.

Any suggestion on how to get it to work would be appreciated.

[Edit] I have tried pretty much all the TokenCredential implementation available under Azure.Identity with no success. I think VisualStudioCredential is the way to go, but I'm open to other suggestions. Even an interactive prompt would be OK for me since it is for development purpose, but InteractiveBrowserCredential fails on the worker process.

Jason Aller
  • 3,541
  • 28
  • 38
  • 38
Johnny5
  • 6,664
  • 3
  • 45
  • 78
  • can you not specify the location of the tokenprovider in say the app.config or web.config? – Max Strandberg Apr 29 '22 at 12:17
  • The [documentation](https://learn.microsoft.com/en-us/dotnet/api/azure.identity.visualstudiocredential?view=azure-dotnet) does not mention anything in that sense – Johnny5 Apr 29 '22 at 13:31
  • but the said documentation is pretty minimal – Johnny5 Apr 29 '22 at 13:32
  • 1
    Microsoft expects developers to have extensive knowledge on Windows user accounts, so the documentation page you referred to won't have more details. In your case, setting `LoadUserProfile` to `true` might help, https://learn.microsoft.com/en-us/iis/manage/configuring-security/application-pool-identities#user-profile – Lex Li Apr 29 '22 at 15:36
  • @LexLi this property is already true on my app pool :/ – Johnny5 Apr 29 '22 at 15:48
  • 1
    https://github.com/Azure/azure-sdk-for-net/issues/4590#issuecomment-414838241 – Lex Li Apr 29 '22 at 18:00
  • thanks @LexLi I will try this next monday. In the meantime, have a great weekend ;) – Johnny5 Apr 29 '22 at 19:25
  • 1
    What version of `Microsoft.Azure.Serivecs.AppAuthentication` are you using? It seems to be a bug in versions prior to 1.6 and has been fixed in 1.6. https://github.com/Azure/azure-sdk-for-net/issues/12035 – Bruce Zhang May 02 '22 at 01:40
  • @BruceZhang I don't use this package. I installed `Microsoft.Data.SqlClient` and `Microsoft.Data.SqlClient.AlwaysEncrypted.AzureKeyVaultProvider` which comes with a lot of dependencies, but not this one. – Johnny5 May 02 '22 at 15:27

1 Answers1

0

The link posted by @LexLi in the comments explains the problem.

Azure.Identity.VisualStudioCredential cannot be used with ApplicationPoolIdentity on IIS. The pool must run under the developer's name.

I ended up configuring an application in azure AD for dev environments and using clientId/clientSecret.

Johnny5
  • 6,664
  • 3
  • 45
  • 78
  • 1
    What would "running under the developers name" mean in terms of the IIS settings? Would it be the `Built-in account `> `LocalSystem option`? Tried the suggestions at the link without success. – cognophile Jan 12 '23 at 11:24
  • > What would "running under the developers name" mean in terms of the IIS settings? - It means the application pool is running under a specific user, this user being the developper ad account. I'm not sure of the precise term because my installation of windows is in french. – Johnny5 Jan 16 '23 at 13:16
  • Appreciate the response. I found the answer for how to do it elsewhere and documented it [here](https://stackoverflow.com/a/75096380/5012644). – cognophile Jan 16 '23 at 15:17