Secure enclaves enabled but SSMS didn't allow

John Woo 20

in Azure portal, I created the database with Secure enclaves enabled - type was Virtualization based security (VBS).
the command below return 1,1; however when using SSMS trying to connect with Enable secure enclaves, and protocol None, got error:
You have specified the attestation protocol in the connection string, but the SQL Server in use does not support enclave based computations - see https://go.microsoft.com/fwlink/?linkid=2157649 for more details. (Microsoft.Data.SqlClient)

Program Location:

at Microsoft.Data.SqlClient.TdsParser.TryProcessFeatureExtAck(TdsParserStateObject stateObj)

at Microsoft.Data.SqlClient.TdsParser.TryRun(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj, Boolean& dataReady)
....

select name, value, value_in_use from sys.configurations where name = 'column encryption enclave type'

John Woo 20 Reputation points

2025-02-27T14:29:51.8966667+00:00

even created the attestation url and filled in, still got error

TITLE: Connect to Server

Cannot connect to hot1.database.windows.net.

ADDITIONAL INFORMATION:

You have specified the enclave attestation URL and attestation protocol in the connection string, but the SQL Server in use does not support enclave based computations - see https://go.microsoft.com/fwlink/?linkid=2157649 for more details. (Microsoft.Data.SqlClient)

BUTTONS:

OK
Vijayalaxmi Kattimani 1,485 Reputation points Microsoft External Staff

2025-02-28T02:53:55.62+00:00

Hi @John Woo,

Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.

Could you please confirm whether you are encountering this error in the on-premises SQL database or in the Azure SQL Database?
John Woo 20 Reputation points

2025-02-28T08:30:55.7466667+00:00

I'm using azure portal to create the azure sql (cloud version), my company (a big bank) uses azure portal as well - we never use the on prem nor VM version of SQL the past 3 years. It was confusion compared with the traditional SQL, the way to config and test changed. now we have challenges doing migration.
Vijayalaxmi Kattimani 1,485 Reputation points Microsoft External Staff

2025-02-28T10:35:28.7533333+00:00
Hi John Woo,

Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.

As we understand that, you are encountering an issue with enabling secure enclaves in your Azure SQL Database using Virtualization Based Security (VBS). This error typically occurs when the SQL Server instance does not support enclave-based computations, even though the database was created with secure enclaves enabled.

To resolve this issue, ensure that you are using the latest version of SQL Server Management Studio (SSMS) and that the correct attestation protocol is specified.

Here are some steps you can follow:

Verify Enclave Configuration: Ensure that the database is correctly configured with a VBS enclave. You can do this by checking the database properties in the Azure portal or using Azure PowerShell commands.

SMS Configuration: When connecting to the database using SSMS, make sure to enable secure enclaves and specify the correct attestation protocol. In SSMS, go to the "Connect to Server" dialog, select "Options," and then the "Always Encrypted" tab. Ensure that "Enable secure enclaves" is checked and the correct protocol is selected.

Supported Enclave Technologies: Always Encrypted supports different enclave technologies, including VBS enclaves. Ensure that your SQL Server instance supports the enclave type you are using.

Additionally, you can refer to the following links for more detailed guidance:

https://learn.microsoft.com/en-us/azure/azure-sql/database/always-encrypted-enclaves-getting-started-vbs?view=azuresql&tabs=ssmsrequirements%2Cazure-portal

https://learn.microsoft.com/en-us/azure/azure-sql/database/always-encrypted-enclaves-enable?view=azuresql&tabs=IntelSGXenclaves

https://learn.microsoft.com/en-us/sql/relational-databases/security/encryption/always-encrypted-enclaves?view=sql-server-ver16

If you continue to experience issues, please let us know here. We will respond with more details and try to help you.

I hope this information helps. Please do let us know if you have any further queries.
John Woo 20 Reputation points

2025-02-28T17:30:41.9966667+00:00

Hi Vijayalaxmi,

Thanks for the answer.

I'm attaching the setting and the error from SSMS (v20.2). we are using script to create those CMK and CEK instead of using SSMS, as in our environment, we use automation pipeline to do those operation.

Would you have any suggestion?

Accepted answer

Erland Sommarskog 118.5K Reputation points MVP

2025-02-28T21:55:32.64+00:00
I did some testing. I created a database enabled for enclaves on one of my Azure servers. I find that I can connect to this database with these settings in SSMS:

But if I connect to a database on this server which is not enabled for Always Encrypted, I get the same error message as you.

I'm inclined to think that you may be connecting to the wrong database. Either because you are connecting to database yourdb on server2.windows.database.net rather than database yourdb on server1.windows.database.net. Or you don't have the proper database in the Connection properties tab. So I would double-check all parameters.

Another way to check this, is to connect to the database with AE enabled and run queries against tables you know have encrypted columns. Also run this query:

SELECT * FROM sys.column_master_keys

And check the column allow_enclave_computations

If all checks fall out positive, we will have to conclude that something is out of order. I would recommend that you open a support case if so. If you only have a developer plan, this will send you back here, but since you work for a big bank, I assume that you have access to a better support plan.
Please sign in to rate this answer.
John Woo 20 Reputation points

2025-03-01T15:31:31.6833333+00:00

Hi Erland,We recreated new DB, it worked - I thought the key difference was, the sequence of creating the CMK, the SSMS connecting, and enabling Secure enclaves did the trick.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Secure enclaves enabled but SSMS didn't allow

0 additional answers

Your answer