I'm in my way to use Always Encrypted on an existing .Net Framework 4.8 WebApi codebase. The solutions runs locally (for development) on IIS on ApplicationPoolIdentity (Windows 10).
I've set up a sql query which accesses a SQL Server database with an encrypted column.
I'm using VisualStudioCredential
locally to access the key vault.
Running the same code from a simple console app works, but when running on IIS VisualStudioCredential
cannot access the token provider file under C:\WINDOWS\system32\config\systemprofile\AppData\Local.IdentityService\AzureServiceAuth\tokenprovider.json
.
Indeed this file does not exists, it does exists in C:\Users\<my-username>\AppData\Local.IdentityService\AzureServiceAuth
.
It tried running the pool under my own identity, but then it search the file C:\WINDOWS\system32\config\systemprofile\AppData\Local.IdentityService\AzureServiceAuth\tokenprovider.json
which does not exists.
Any suggestion on how to get it to work would be appreciated.
[Edit]
I have tried pretty much all the TokenCredential implementation available under Azure.Identity
with no success. I think VisualStudioCredential
is the way to go, but I'm open to other suggestions. Even an interactive prompt would be OK for me since it is for development purpose, but InteractiveBrowserCredential
fails on the worker process.
The link posted by @LexLi in the comments explains the problem.
Azure.Identity.VisualStudioCredential
cannot be used with ApplicationPoolIdentity on IIS. The pool must run under the developer's name.I ended up configuring an application in azure AD for dev environments and using clientId/clientSecret.