适用于:
SQL Server
本文章提供了有关 SQL Server 连接器的补充信息。 有关 SQL Server 连接器的详细信息,请参阅使用 Azure Key Vault 的可扩展密钥管理(SQL Server),使用 Azure Key Vault 设置 SQL Server TDE 可扩展密钥管理,以及将 SQL Server 连接器与 SQL 加密功能配合使用。
注意
虽然 Microsoft Entra ID 是 Azure Active Directory (Azure AD) 的新名称,但为了防止中断现有环境,Azure AD 仍保留在一些硬编码的元素中,例如 UI 字段、连接提供程序、错误代码和 cmdlet。 在本文中,这两个名称可以互换。
答: SQL Server 连接器的维护说明
密钥轮换
Azure Key Vault 支持密钥轮换,这是创建新密钥并更新应用程序来使用新密钥的过程。 密钥轮换是一种安全最佳做法,可帮助保护数据以防密钥被盗用。 SQL Server 连接器支持密钥轮换。 不应删除旧密钥,因为可能需要使用旧密钥来还原数据库。 若要轮换密钥,请按照使用新的 AKV 密钥或新的 AKV 密钥版本来轮换非对称密钥中的步骤进行操作。
升级 SQL Server 连接器
已替换版本 1.0.0.440 和更早的版本,且生产环境不再支持这些版本。 生产环境中支持版本 1.0.1.0 及更高版本。 按照以下说明升级到 Microsoft 下载中心提供的最新版本。
升级
- 使用 SQL Server Configuration Manager 停止 SQL Server 服务。
- 使用 控制面板>程序程序和>功能卸载旧版本。
- 应用程序名称:用于 Microsoft Azure Key Vault 的 SQL Server 连接器
- 版本:15.0.300.96(或更早版本)
- DLL 文件日期:2018 年 1 月 30 日(或更早)
- 安装(升级)新版本的 SQL Server Connector for Microsoft Azure Key Vault。
- 版本: 15.0.2000.440
- DLL 文件日期:2024 年 11 月 9 日
- 启动 SQL Server 服务。
- 可访问测试加密的数据库。
如果数据库处于 RECOVERY PENDING 状态,则需要在加密提供程序上运行命令 ALTER 。 将AzureKeyVault_EKM替换为实际的加密提供程序的名称,可在sys.cryptographic_providers系统视图中找到该名称。
ALTER CRYPTOGRAPHIC PROVIDER AzureKeyVault_EKM DISABLE;
ALTER CRYPTOGRAPHIC PROVIDER AzureKeyVault_EKM FROM FILE = 'C:\Program Files\SQL Server Connector for Microsoft Azure Key Vault\Microsoft.AzureKeyVaultService.EKM.dll';
ALTER CRYPTOGRAPHIC PROVIDER AzureKeyVault_EKM ENABLE;
修改加密提供程序后重启 SQL Server 服务。
回退
使用 SQL Server Configuration Manager 停止 SQL Server 服务。
使用 控制面板>程序和功能>卸载新版本。
- 应用程序名称:用于 Microsoft Azure Key Vault 的 SQL Server 连接器
- 版本: 15.0.2000.440
- DLL 文件日期:2024 年 11 月 9 日
安装旧版 Microsoft Azure Key Vault 的 SQL Server 连接器。
- 版本: 15.0.300.96
- DLL 文件日期:2018 年 1 月 30 日
启动 SQL Server 服务。
检查使用 TDE 的数据库是否可访问。
验证更新是否正常工作后,可以删除旧的 SQL Server 连接器 文件夹(如果选择重命名它,而不是在步骤 3 中卸载)。
旧版 SQL Server 连接器
指向旧版 SQL Server 连接器的深层链接
- 当前:1.0.5.0(版本 15.0.2000.440) – 文件日期 2024 年 11 月 9 日
- 1.0.5.0 (版本 15.0.2000.440) – 文件日期 2020 年 11 月 24 日
- 1.0.5.0(版本 15.0.300.96)- 文件日期为 2018 年 1 月 30 日
- 1.0.4.0:(版本 13.0.811.168)
更换 SQL Server 服务主体
SQL Server 使用在 Microsoft Entra ID(以前称为 Azure Active Directory)中创建的服务主体作为凭据来访问密钥保管库。 服务主体具有客户端 ID 和身份验证密钥。 SQL Server 凭据是使用 VaultName、 客户端 ID 和身份验证密钥设置的。 身份验证密钥在在一段时间内(一年或两年)有效。 在时间段过期之前,必须在服务主体的 Microsoft Entra ID 中生成新密钥。 然后,必须在 SQL Server 中更改凭据。 Management Studio 为当前会话中的凭据保留缓存,因此,如果凭据发生更改,Management Studio 应重新启动。
Azure VM 上的 SQL Server 的托管标识支持
从 SQL Server 2022 累积更新 17 (CU17) 开始,Azure VM 上的 SQL Server(仅限 Windows)的 Azure Key Vault (AKV) 和托管硬件安全模块 (HSM) 支持 Microsoft Entra 托管标识用于可扩展的密钥管理 (EKM)。 有关详细信息,请参阅使用 Azure Key Vault 的可扩展密钥管理的托管标识支持。 若要将托管身份用于 SQL Server 连接器,连接器版本必须为 2024 年 11 月 1.0.5.0 或更高版本。 从 Microsoft 下载中心下载最新版本。
密钥备份和恢复
应定期备份密钥保管库。 如果保管库中的非对称密钥丢失,可以从备份还原。 必须使用和以前相同的名称还原密钥,还原 PowerShell 命令会执行此操作(如下面步骤所示)。
如果保管库已丢失,请重新创建保管库,并使用与以前相同的名称将非对称密钥还原到新创建的保管库中。 保管库名称可以不同(也可以和以前一样)。 设置对新保管库的访问权限,以便向 SQL Server 服务主体授予 SQL Server 加密场景所需的访问权限,然后调整 SQL Server 凭据以反映新的保管库名称。
总之,按照下面的步骤执行操作:
- 备份保管库密钥(使用 Backup-AzureKeyVaultKey PowerShell cmdlet)。
- 如果保管库出错,则在同一地理区域中创建新的保管库。 创建此保管库的用户应该与为 SQL Server 设置的服务主体处于同一个默认目录中。
- 使用 Restore-AzureKeyVaultKey PowerShell cmdlet 将密钥还原到新保管库,这将使用和以前相同的名称还原密钥。 如果已经存在具有相同名称的密钥,还原将失败。
- 向 SQL Server 服务主体授予权限以使用这个新的保管库。
- 修改数据库引擎使用的 SQL Server 凭据以反映新的保管库名称(如果需要)。
只要密钥备份保留在同一个地理区域或国家/地区云,就可以在各个 Azure 区域还原密钥备份,这些国家/地区包括:美国、加拿大、日本、澳大利亚、印度、亚太地区、欧洲、巴西、中国、美国政府或德国。
B. 常见问题
在 AAzure Key Vault 上
密钥操作如何与 Azure Key Vault 配合使用?
密钥保管库中的非对称密钥用于保护 SQL Server 加密密钥。 仅非对称密钥的公共部分会离开保管库;保管库绝不会导出其私有部分。 使用非对称密钥的所有加密操作都在 Azure Key Vault 服务中完成,并由该服务的安全性功能提供保护。
什么是密钥 URI?
Azure Key Vault 中的所有密钥都有一个统一资源标识符 (URI),你可以使用它在应用程序中引用密钥。 使用格式 https://ContosoKeyVault.vault.azure.net/keys/ContosoFirstKey 来获取当前版本,使用格式 https://ContosoKeyVault.vault.azure.net/keys/ContosoFirstKey/cgacf4f763ar42ffb0a1gca546aygd87 来获取特定版本。
配置 SQL Server 时
SQL Server 连接器需要访问哪些终结点?
该连接器与两个终结点通信,需要获得允许。 与其他服务的出站通信所需的唯一端口是 HTTPS 的 443:
login.microsoftonline.com/*:443*.vault.azure.net/*:443
此外,检查证书吊销列表可能在端口 80 上产生 HTTP 流量。
注意
如果流量被延迟或阻止,则使用防火墙或代理服务器后面的用于 Azure Key Vault 的 SQL Server 连接器可能会影响性能。 熟悉访问防火墙后面的 Azure Key Vault,确保设定正确的规则。
如何通过 HTTP(S) 代理服务器连接到 Azure Key Vault? 连接器使用 Internet Explorer 的代理配置设置。 这些设置可通过组策略 或注册表控制,但需要注意的是,这些设置不是系统范围的设置,而是针对运行 SQL Server 实例的服务帐户。 如果数据库管理员在 Internet Explorer 中查看或编辑设置,则它们只会影响数据库管理员的帐户,而不会影响 SQL Server 引擎。 不建议使用服务帐户以交互的方式登录到服务器,并且在许多安全环境中都会阻止该方式。 对配置的代理设置进行更改可能需要重启 SQL Server 实例才能生效,因为当连接器首次尝试连接到密钥保管库时,将缓存这些设置。
SQL Server 连接器支持 Azure Key Vault 中的哪些密钥大小? 最新版本的 SQL Server 连接器支持大小为 2048 和 3072 的 Azure Key Vault 密钥。
注意
即使 sys.asymmetric_keys 使用密钥大小 3072,系统视图也会将密钥大小返回为 2048。
SQL Server 中每个配置步骤所需的最低权限级别是什么?
尽管你可以使用 sysadmin 固定服务器角色成员的身份执行所有配置步骤,但 Microsoft 建议你尽量使用最少的权限。 以下列表定义了每个操作的最小权限级别。
若要创建加密提供程序,需要具备
CONTROL SERVER权限或 sysadmin 固定服务器角色的成员身份。若要更改配置选项并运行
RECONFIGURE语句,你必须获授ALTER SETTINGS服务器级别权限。ALTER SETTINGS权限由 sysadmin 和 serveradmin 固定服务器角色隐式持有。若要创建凭据,需要具备
ALTER ANY CREDENTIAL权限。若要向登录添加凭据,需要具备
ALTER ANY LOGIN权限。若要创建非对称密钥,需要具备
CREATE ASYMMETRIC KEY权限。
如何更改我的默认 Microsoft Entra 目录,以便在与为 SQL Server 连接器创建的服务主体相同的订阅和目录中创建密钥保管库?
转到 Azure 门户。
在页面的右上角,选择设置图标或你的用户配置文件。
在“目录 + 订阅”页上,选择“所有目录”以查看所属的所有 Microsoft Entra 目录。
可以更改启动目录,或者如果有多个目录,可以切换到其他目录。
注意
你可能无权实际更改 Azure 订阅上的默认目录。 在这种情况下,请在默认目录中创建 Microsoft Entra 服务主体,以便其处于与以后使用的 Azure 密钥保管库相同的目录中。
要了解有关 Microsoft Entra ID 的更多信息,请阅读Azure 订阅与 Microsoft Entra ID 相关的方式。
C. SQL Server 连接器的错误代码说明
注意
虽然 Microsoft Entra ID 是 Azure Active Directory (Azure AD) 的新名称,但为了防止中断现有环境,Azure AD 仍保留在一些硬编码的元素中,例如 UI 字段、连接提供程序、错误代码和 cmdlet。 在本文中,这两个名称可以互换。
提供程序错误代码:
| 错误代码 | 符号 | 说明 |
|---|---|---|
0 |
scp_err_Success |
The operation has succeeded. |
1 |
scp_err_Failure |
The operation has failed. |
2 |
scp_err_InsufficientBuffer |
This error tells engine to allocate more memory for the buffer. |
3 |
scp_err_NotSupported |
The operation is not supported. For example, the key type or algorithm specified isn't supported by the EKM provider. |
4 |
scp_err_NotFound |
The specified key or algorithm couldn't be found by the EKM provider. |
5 |
scp_err_AuthFailure |
The authentication has failed with EKM provider. |
6 |
scp_err_InvalidArgument |
The provided argument is invalid. |
7 |
scp_err_ProviderError |
There is an unspecified error happened in EKM provider that is caught by SQL engine. |
401 |
acquireToken |
Server responded 401 for the request. Make sure the client ID and secret are correct, and the credential string is a concatenation of AAD client ID and secret without hyphens. |
404 |
getKeyByName |
The server responded 404, because the key name was not found. Please make sure the key name exists in your vault. |
2049 |
scp_err_KeyNameDoesNotFitThumbprint |
The key name is too long to fit into SQL engine's thumbprint. The key name must not exceed 26 characters. |
2050 |
scp_err_PasswordTooShort |
The secret string that is the concatenation of AAD client ID and secret is shorter than 32 characters. |
2051 |
scp_err_OutOfMemory |
SQL engine has run out of memory and failed to allocate memory for EKM provider. |
2052 |
scp_err_ConvertKeyNameToThumbprint |
Failed to convert key name to thumbprint. |
2053 |
scp_err_ConvertThumbprintToKeyName| Failed to convert thumbprint to key name. |
|
2057 |
scp_err_ThumbprintExistedInRegistry |
The key thumbprint already exists in Windows registry mapped to a different key URI. |
2058 |
scp_err_FailureInRegistry| Failed to perform the operation in registry. SQL Server service account does not have permission to create the registry key. |
|
3000 |
ErrorSuccess |
The AKV operation has succeeded. |
3001 |
ErrorUnknown |
The AKV operation has failed with an unspecified error. |
3002 |
ErrorHttpCreateHttpClientOutOfMemory |
Cannot create an HttpClient for AKV operation due to out of memory. |
3003 |
ErrorHttpOpenSession |
Cannot open an Http session because of network error. |
3004 |
ErrorHttpConnectSession |
Cannot connect an Http session because of network error. |
3005 |
ErrorHttpAttemptConnect |
Cannot attempt a connect because of network error. |
3006 |
ErrorHttpOpenRequest |
Cannot open a request due to network error. |
3007 |
ErrorHttpAddRequestHeader |
Cannot add request header. |
3008 |
ErrorHttpSendRequest |
Cannot send a request due to network error. |
3009 |
ErrorHttpGetResponseCode |
Cannot get a response code due to network error. |
3010 |
ErrorHttpResponseCodeUnauthorized |
Server responded 401 for the request. |
3011 |
ErrorHttpResponseCodeThrottled |
Server has throttled the request. |
3012 |
ErrorHttpResponseCodeClientError |
The request sent from the connector is invalid. This usually means the key name is invalid or contains invalid characters. |
3013 |
ErrorHttpResponseCodeServerError |
Server responded a response code between 500 and 600. |
3014 |
ErrorHttpQueryHeader |
Cannot query for response header. |
3015 |
ErrorHttpQueryHeaderOutOfMemoryCopyHeader |
Cannot copy the response header due to out of memory. |
3016 |
ErrorHttpQueryHeaderOutOfMemoryReallocBuffer |
Cannot query the response header due to out of memory when reallocating a buffer. |
3017 |
ErrorHttpQueryHeaderNotFound |
Cannot find the query header in the response. |
3018 |
ErrorHttpQueryHeaderUpdateBufferLength |
Cannot update the buffer length when querying the response header. |
3019 |
ErrorHttpReadData |
Cannot read response data due to network error. |
3076 |
ErrorHttpResourceNotFound |
The server responded 404, because the key name was not found. Make sure the key name exists in your vault. |
3077 |
ErrorHttpOperationForbidden |
The server responded 403, because the user doesn't have proper permission to perform the action. Make sure you have the permission for the specified operation. At minimum, the connector requires 'get, list, wrapKey, unwrapKey' permissions to function properly. |
3100 |
ErrorHttpCreateHttpClientOutOfMemory |
Cannot create a HttpClient for AKV operation due to out of memory. |
3101 |
ErrorHttpOpenSession |
Cannot open a Http session due to network error. |
3102 |
ErrorHttpConnectSession |
Cannot connect a Http session due to network error. |
3103 |
ErrorHttpAttemptConnect |
Cannot attempt a connect due to network error. |
3104 |
ErrorHttpOpenRequest |
Cannot open a request due to network error. |
3105 |
ErrorHttpAddRequestHeader |
Cannot add request header. |
3106 |
ErrorHttpSendRequest |
Cannot send a request due to network error. |
3107 |
ErrorHttpGetResponseCode |
Cannot get a response code due to network error. |
3108 |
ErrorHttpResponseCodeUnauthorized |
Server responded 401 for the request. Make sure the client Id and secret are correct, and the credential string is a concatenation of AAD client Id and secret without hyphens. |
3109 |
ErrorHttpResponseCodeThrottled |
Server has throttled the request. |
3110 |
ErrorHttpResponseCodeClientError |
The request is invalid. This usually means the key name is invalid or contains invalid characters. |
3111 |
ErrorHttpResponseCodeServerError |
Server responded a response code between 500 and 600. |
3112 |
ErrorHttpResourceNotFound |
The server responded 404, because the key name was not found. Please make sure the key name exists in your vault. |
3113 |
ErrorHttpOperationForbidden |
The server responded 403, because the user does not have proper permission to perform the action. Please make sure you have the permission for the specified operation. At minimum,'get, wrapKey, unwrapKey' permissions are required. |
3114 |
ErrorHttpQueryHeader |
Cannot query for response header. |
3115 |
ErrorHttpQueryHeaderOutOfMemoryCopyHeader |
Cannot copy the response header due to out of memory. |
3116 |
ErrorHttpQueryHeaderOutOfMemoryReallocBuffer |
Cannot query the response header due to out of memory when reallocating a buffer. |
3117 |
ErrorHttpQueryHeaderNotFound |
Cannot find the query header in the response. |
3118 |
ErrorHttpQueryHeaderUpdateBufferLength |
Cannot update the buffer length when querying the response header. |
3119 |
ErrorHttpReadData |
Cannot read response data due to network error. |
3120 |
ErrorHttpGetResponseOutOfMemoryCreateTempBuffer |
Cannot get response body due to out of memory when creating a temp buffer. |
3121 |
ErrorHttpGetResponseOutOfMemoryGetResultString |
Cannot get response body due to out of memory when get result string. |
3122 |
ErrorHttpGetResponseOutOfMemoryAppendResponse |
Cannot get response body due to out of memory when appending response. |
3128 |
ErrorHttpBadRequest |
The secret and client id are correct but in the wrong format. |
3200 |
ErrorGetAADValuesOutOfMemoryConcatPath |
Cannot get Azure Active Directory challenge header values due to out of memory when concatenating the path. |
3201 |
ErrorGetAADDomainUrlStartPosition |
Cannot find the starting position for Azure Active Directory domain Url in malformatted response challenge header. |
3202 |
ErrorGetAADDomainUrlStopPosition |
Cannot find the ending position for Azure Active Directory domain Url in malformatted response challenge header. |
3203 |
ErrorGetAADDomainUrlMalformatted |
The Azure Active Directory response challenge header is malformatted and doesn't contain the AAD domain Url. |
3204 |
ErrorGetAADDomainUrlOutOfMemoryAlloc |
Out of memory when allocating buffer for Azure Active Directory domain Url. |
3205 |
ErrorGetAADTenantIdOutOfMemoryAlloc |
Out of memory when allocating buffer for Azure Active Directory tenantId. |
3206 |
ErrorGetAKVResourceUrlStartPosition |
Cannot find the starting position for Azure Key Vault resource Url in malformatted response challenge header. |
3207 |
ErrorGetAKVResourceUrlStopPosition |
Cannot find the ending position for Azure Key Vault resource Url in malformatted response challenge header. |
3208 |
ErrorGetAKVResourceUrlOutOfMemoryAlloc |
Out of memory when allocating buffer for Azure Key Vault resource Url. |
3300 |
ErrorGetTokenOutOfMemoryConcatPath |
Cannot get token due to out of memory when concatenating the request path. |
3301 |
ErrorGetTokenOutOfMemoryConcatBody |
Cannot get token due to out of memory when concatenating the response body. |
3302 |
ErrorGetTokenOutOfMemoryConvertResponseString |
Cannot get token due to out of memory when converting the response string. |
3303 |
ErrorGetTokenBadCredentials |
Cannot get token due to incorrect credentials. Make sure the credential string or certificate is valid. |
3304 |
ErrorGetTokenFailedToGetToken |
While the credentials are correct, the operation still failed to get a valid token. |
3305 |
ErrorGetTokenRejected |
The token is valid but is rejected by server. |
3306 |
ErrorGetTokenNotFound |
Cannot find the token in response. |
3307 |
ErrorGetTokenJsonParser |
Cannot parse the JSON response of server. |
3308 |
ErrorGetTokenExtractToken |
Cannot extract the token from the JSON response. |
3400 |
ErrorGetKeyByNameOutOfMemoryConvertResponseString |
Cannot get the key by name due to out of memory converting the response string. |
3401 |
ErrorGetKeyByNameOutOfMemoryConcatPath |
Cannot get the key by name due to out of memory when concatenating the path. |
3402 |
ErrorGetKeyByNameOutOfMemoryConcatHeader |
Cannot get the key by name due to out of memory when concatenating the header. |
3403 |
ErrorGetKeyByNameNoResponse |
Cannot get the key by name due to no response from server. |
3404 |
ErrorGetKeyByNameJsonParser |
Cannot get the key by name due to failed to parse the JSON response. |
3405 |
ErrorGetKeyByNameExtractKeyNode |
Cannot get the key by name due to failed to extract the key node from the response. |
3406 |
ErrorGetKeyByNameExtractKeyId |
Cannot get the key by name due to failed to extract the key Id from the response. |
3407 |
ErrorGetKeyByNameExtractKeyType |
Cannot get the key by name due to failed to extract the key type from the response. |
3408 |
ErrorGetKeyByNameExtractKeyN |
Cannot get the key by name due to failed to extract the key N from the response. |
3409 |
ErrorGetKeyByNameBase64DecodeN |
Cannot get the key by name due to failed to Base64 decode the N. |
3410 |
ErrorGetKeyByNameExtractKeyE |
Cannot get the key by name due to failed to extract the key E from the response. |
3411 |
ErrorGetKeyByNameBase64DecodeE |
Cannot get the key by name due to failed to Base64 decode the E. |
3412 |
ErrorGetKeyByNameExtractKeyUri |
Cannot extract the key Uri from the response. |
3500 |
ErrorBackupKeyOutOfMemoryConvertResponseString |
Cannot back up key due to out of memory when converting the response string. |
3501 |
ErrorBackupKeyOutOfMemoryConcatPath |
Cannot back up key due to out of memory when concatenating the path. |
3502 |
ErrorBackupKeyOutOfMemoryConcatHeader |
Cannot back up key due to out of memory when concatenating the request header. |
3503 |
ErrorBackupKeyNoResponse |
Cannot back up key due to no response from server. |
3504 |
ErrorBackupKeyJsonParser |
Cannot back up key due to failed to parse the JSON response. |
3505 |
ErrorBackupKeyExtractValue |
Cannot back up key due to failed to extract the value from JSON response. |
3506 |
ErrorBackupKeyBase64DecodeValue |
Cannot back up key due to failed to Base64 decode the value field. |
3600 |
ErrorWrapKeyOutOfMemoryConvertResponseString |
Cannot wrap key due to out of memory when converting response string. |
3601 |
ErrorWrapKeyOutOfMemoryConcatPath |
Cannot wrap key due to out of memory when concatenating the path. |
3602 |
ErrorWrapKeyOutOfMemoryConcatHeader |
Cannot wrap key due to out of memory when concatenating the header. |
3603 |
ErrorWrapKeyOutOfMemoryConcatBody |
Cannot wrap key due to out of memory when concatenating the body. |
3604 |
ErrorWrapKeyOutOfMemoryConvertEncodedBody |
Cannot wrap key due to out of memory when converting the encoded body. |
3605 |
ErrorWrapKeyBase64EncodeKey |
Cannot wrap key due to failed to Base64 encode the key. |
3606 |
ErrorWrapKeyBase64DecodeValue |
Cannot wrap key due to failed to Base64 decode the response value. |
3607 |
ErrorWrapKeyJsonParser |
Cannot wrap key due to failed to parse the JSON response. |
3608 |
ErrorWrapKeyExtractValue |
Cannot wrap key due to failed to extract value from response. |
3609 |
ErrorWrapKeyNoResponse |
Cannot wrap key due to no response from server. |
3700 |
ErrorUnwrapKeyOutOfMemoryConvertResponseString |
Cannot unwrap key due to out of memory when converting response string. |
3701 |
ErrorUnwrapKeyOutOfMemoryConcatPath |
Cannot unwrap key due to out of memory when concatenating the path. |
3702 |
ErrorUnwrapKeyOutOfMemoryConcatHeader |
Cannot unwrap key due to out of memory when concatenating the header. |
3703 |
ErrorUnwrapKeyOutOfMemoryConcatBody |
Cannot unwrap key due to out of memory when concatenating the body. |
3704 |
ErrorUnwrapKeyOutOfMemoryConvertEncodedBody |
Cannot unwrap key due to out of memory when converting the encoded body. |
3705 |
ErrorUnwrapKeyBase64EncodeKey |
Cannot unwrap key due to failed to Base64 encode the key. |
3706 |
ErrorUnwrapKeyBase64DecodeValue |
Cannot unwrap key due to failed to Base64 decode the response value. |
3707 |
ErrorUnwrapKeyJsonParser |
Cannot unwrap key due to failed to extract value from response. |
3708 |
ErrorUnwrapKeyExtractValue |
Cannot unwrap key due to failed to extract value from response. |
3709 |
ErrorUnwrapKeyNoResponse |
Cannot unwrap key due to no response from server. |
3800 |
ErrorSecretAuthParamsGetRequestBody |
Error creating request body using AAD clientId and secret. |
3801 |
ErrorJWTTokenCreateHeader |
Error creating JWT token header for authentication with AAD. |
3802 |
ErrorJWTTokenCreatePayloadGUID |
Error creating GUID for JWT token payload for authentication with AAD. |
3803 |
ErrorJWTTokenCreatePayload |
Error creating JWT token payload for authentication with AAD. |
3804 |
ErrorJWTTokenCreateSignature |
Error creating JWT token signature for authentication with AAD. |
3805 |
ErrorJWTTokenSignatureHashAlg |
Error getting SHA256 hash algorithm for authentication with AAD. |
3806 |
ErrorJWTTokenSignatureHash |
Error creating SHA256 hash for JWT token authentication with AAD. |
3807 |
ErrorJWTTokenSignatureSignHash |
Error signing JWT token hash for authentication with AAD. |
3808 |
ErrorJWTTokenCreateToken |
Error creating JWT token for authentication with AAD. |
3809 |
ErrorPfxCertAuthParamsImportPfx |
Error importing Pfx certificate for authentication with AAD. |
3810 |
ErrorPfxCertAuthParamsGetThumbprint |
Error getting thumbprint from Pfx certificate for authentication with AAD. |
3811 |
ErrorPfxCertAuthParamsGetPrivateKey |
Error getting private key from Pfx certificate for authentication with AAD. |
3812 |
ErrorPfxCertAuthParamsSignAlg |
Error getting RSA signing algorithm for Pfx certificate authentication with AAD. |
3813 |
ErrorPfxCertAuthParamsImportForSign |
Error importing Pfx private key for RSA signing for authentication with AAD. |
3814 |
ErrorPfxCertAuthParamsCreateRequestBody |
Error creating request body from Pfx certificate for authentication with AAD. |
3815 |
ErrorPEMCertAuthParamsGetThumbprint |
Error Base64 decoding Thumbprint for authentication with AAD. |
3816 |
ErrorPEMCertAuthParamsGetPrivateKey |
Error getting RSA private key from PEM for authentication with AAD. |
3817 |
ErrorPEMCertAuthParamsSignAlg |
Error getting RSA signing algorithm for PEM private key authentication with AAD. |
3818 |
ErrorPEMCertAuthParamsImportForSign |
Error importing PEM private key for RSA signing for authentication with AAD. |
3819 |
ErrorPEMCertAuthParamsCreateRequestBody |
Error creating request body from PEM private key for authentication with AAD. |
3820 |
ErrorLegacyPrivateKeyAuthParamsSignAlg |
Error getting RSA signing algorithm for Legacy private key authentication with AAD. |
3821 |
ErrorLegacyPrivateKeyAuthParamsImportForSign |
Error importing Legacy private key for RSA signing for authentication with AAD. |
3822 |
ErrorLegacyPrivateKeyAuthParamsCreateRequestBody |
Error creating request body from Legacy private key for authentication with AAD. |
3900 |
ErrorAKVDoesNotExist |
Error internet name not resolved. This typically indicates the Azure Key Vault is deleted. |
4000 |
ErrorCreateKeyVaultRetryManagerOutOfMemory |
Cannot create a RetryManager for AKV operation due to out of memory. |
如果未在此表中看到错误代码,则会出现此错误的其他一些原因:
你可能没有 Internet 访问权限,并且无法访问 Azure Key Vault。 请检查 Internet 连接。
Azure Key Vault 服务可能已关闭。 查看 azure.status.microsoft。 稍后再试。
可能已从 Azure Key Vault 或 SQL Server 中删除非对称密钥。 还原密钥。
如果收到“无法加载库”的错误消息,请确保根据正在运行的 SQL Server 版本已安装了适当的 Visual Studio C++ 可再发行版。 下表指定要从Microsoft下载中心安装的版本。
Windows 事件日志还会记录与 SQL Server 连接器相关的错误,这样就可以帮助提供有关错误实际发生原因的其他上下文。 Windows 应用程序事件日志中的源将为“用于 Microsoft Azure Key Vault 的 SQL Server 连接器”。
适用于 SQL Server 连接器 1.0.5.0 的 C++ 运行时库
| SQL Server 版本 | 可再发行组件安装链接(如果使用 SQL Server 连接器 1.0.5.0) |
|---|---|
| 2008、2008 R2、2012、2014 | Visual C++ Visual Studio 2013 的可再发行组件包 |
| 2016、2017、2019 | Visual C++可再发行组件,适用于Visual Studio 2015 |
适用于 SQL Server 连接器 1.0.4.0 的 C++ 运行时库
| SQL Server 版本 | 可再发行组件安装链接(如果使用 SQL Server 连接器 1.0.4.0) |
|---|---|
| 2008、2008 R2、2012、2014、2016、2017、2019 | Visual C++ Visual Studio 2013 的可再发行组件包 |
其他参考
有关可扩展密钥管理的更多信息:
支持 EKM 的 SQL 加密:
相关的 Transact-SQL 命令:
Azure Key Vault 文档:
PowerShell Azure Key Vault Cmdlet 参考