SQL Server 連接器維護 & 疑難排解
適用於:
SQL Server
本文提供 SQL Server 連接器的補充資訊。 如需 SQL Server 連接器的詳細資訊,請參閱使用 Azure Key Vault
注意
雖然 Microsoft Entra ID 是 Azure Active Directory(Azure AD)的新名稱,但為了防止破壞現有的環境,Azure AD 仍會保留在某些硬式編碼元素中,例如 UI 字段、連線提供者、錯誤碼和 Cmdlet。 在本文中,這兩個名稱是可互換的。
A. SQL Server Connector 的維護指示
鑰匙旋轉
Azure Key Vault 支援鑰匙旋轉,這是建立全新金鑰並更新應用程式以使用新金鑰的程式。 鑰匙旋轉是安全性最佳做法,可協助保護密鑰遭入侵時的資料。 SQL Server 連接器支援金鑰匙旋轉。 不應該刪除舊鑰匙,因為可能需要使用舊鑰匙來還原資料庫。 若要旋轉鑰匙,請遵循使用新的 AKV 鑰匙或新的 AKV 鑰匙版本旋轉非對稱鑰匙中的步驟。
升級 SQL Server 連接器
1\.0.0.440 版和較舊版本皆已被取代,而且生產環境也不再支援。 生產環境支援 1.0.1.0 版及更新版本。 請使用下列指示升級至可在 Microsoft 下載中心上取得的最新版本。
升級
- 使用 SQL Server 組態管理員來停止SQL Server 服務。
- 使用 [控制面板]>[程式>程式和功能卸載舊版。
- 應用程式名稱:適用於 Microsoft Azure Key Vault 的 SQL Server 連接器
- 版本:15.0.300.96 (或更舊版本)
- DLL 檔案日期:2018 年 1 月 30 日(或更舊版)
- 安裝(升級)新的 SQL Server 連接器以用於 Microsoft Azure Key Vault。
- 版本:15.0.2000.440
- DLL 檔案日期:2024 年 11 月 9 日
- 啟動 SQL Server 服務。
- 測試加密的資料庫可供存取。
復原
透過 SQL Server 組態管理員 停止 SQL Server 服務。
使用 控制面板>程式>程式和功能卸載新版本。
- 應用程式名稱:適用於 Microsoft Azure Key Vault 的 SQL Server 連接器
- 版本:15.0.2000.440
- DLL 檔案日期:2024 年 11 月 9 日
安裝舊版 SQL Server Connector for Microsoft Azure Key Vault。
- 版本:15.0.300.96
- DLL 檔案日期:2018 年 1 月 30 日
啟動 SQL Server 服務。
檢查使用 TDE 的資料庫是否可供存取。
驗證更新運作之後,您可以刪除舊的 SQL Server Connector 資料夾(如果您選擇重新命名它,而不是在步驟 3 中卸載)。
較舊版本的 SQL Server 連接器
較舊版 SQL Server 連接器的深層連結
- 目前:1.0.5.0 版(版本 15.0.2000.440) – 2024 年 11 月 9 日檔案日期
- 版本 1.0.5.0(版本 15.0.2000.440)– 檔案日期 2020 年 11 月 24 日
- 1.0.5.0 (15.0.300.96 版) – 檔案日期 2018 年 1 月 30 日
- 1.0.4.0:(13.0.811.168 版)
輪替 SQL Server 服務主體
SQL Server 會使用在 Microsoft Entra ID (先前稱為 Azure Active Directory) 中建立的服務主體作為存取金鑰保存庫的認證。 服務主體擁有用戶端識別碼和驗證金鑰。 SQL Server 認證是使用 VaultName、用戶端識別碼和驗證金鑰進行設定。 驗證金鑰 將於一段時間內有效 (一或兩年)。 在時間週期到期之前,必須在 Microsoft Entra ID 中為服務主體產生新的密鑰。 然後必須在 SQL Server 中變更認證。 Management Studio 會在目前的工作階段中為認證維持一份快取,因此認證變更時,應該重新啟動 Management Studio。
Azure VM 上 SQL Server 的受控識別支援
從 SQL Server 2022 累積更新 17 (CU17) 開始,對於可延伸金鑰管理 (EKM),Microsoft Entra 受控識別已支援在 Azure 金鑰保存庫 (AKV) 和 Azure 虛擬機器上的受控硬體安全模組 (HSM)(僅限 Windows)。 如需詳細資訊,請參閱 受控識別對 Azure Key Vault可延伸密鑰管理的支援。 若要搭配 SQL Server 連接器使用受控識別,連接器版本必須是 2024 年 11 月 1.0.5.0 或更新版本。 請從 Microsoft 下載中心 下載最新版本。
金鑰備份和復原
金鑰保存庫應該要定期備份。 如果遺失保存庫中的非對稱金鑰,便可以從備份還原它。 必須使用與以前相同的名稱來還原金鑰,作用與 [還原 PowerShell] 命令相同 (請參閱下面的步驟)。
如果保存庫遺失,請重新建立保存庫,並使用與之前相同的名稱將非對稱密鑰還原至保存庫。 保存庫名稱可以不同 (或是和先前相同)。 請在新的保存庫上設定存取權限,將 SQL Server 加密案例所需的存取權限授與 SQL Server 服務主體,然後調整 SQL Server 認證以反映新的保存庫名稱。
綜上所述,以下為其步驟:
- 備份保存庫金鑰 (使用 Backup-AzureKeyVaultKey PowerShell Cmdlet)。
- 如果保存庫失敗,請在相同的地理區域建立新的保存庫。 建立此保存庫的使用者應該和 SQL Server 的服務主體設定位於相同的預設目錄中。
- 使用 Restore-AzureKeyVaultKey PowerShell Cmdlet 將金鑰還原至新的保存庫,這會用和以前一樣的名稱還原金鑰。 如果已有相同名稱的金鑰,還原就會失敗。
- 授與 SQL Server 服務主體使用新保存庫的權限。
- 修改 Database Engine 所使用的 SQL Server 認證,以反映新的保存庫名稱 (如果需要)。
金鑰備份可以跨 Azure 區域還原,只要它們仍存在於相同的地理區域或下列國家/地區雲端內:美國、加拿大、日本、澳洲、印度、亞太地區、 歐洲巴西、中國、美國政府或德國。
B. 常見問題集
在 Azure 金鑰保存庫上
金鑰作業如何與 Azure 金鑰保存庫搭配運作?
金鑰保存庫中的非對稱金鑰可用來保護 SQL Server 加密金鑰。 只有非對稱金鑰的公開部分可離開保存庫,保存庫絕不會匯出私用部分。 所有使用非對稱金鑰的密碼編譯作業都是在 Azure Key Vault 服務內完成,並受到服務安全性的保護。
什麼是金鑰 URI?
Azure 金鑰保存庫中的每個金鑰都有統一資源識別碼 (URI),可用來在您的應用程式中參考該金鑰。 使用 https://ContosoKeyVault.vault.azure.net/keys/ContosoFirstKey 的格式來取得目前的版本,並使用 https://ContosoKeyVault.vault.azure.net/keys/ContosoFirstKey/cgacf4f763ar42ffb0a1gca546aygd87 的格式來取得特定版本。
設定 SQL Server
SQL Server 連接器需要存取哪些端點?
連接器會與兩個需要設為允許的端點通訊。 對其他服務進行輸出通訊所需的唯一埠是 HTTPS 的 443:
login.microsoftonline.com/*:443*.vault.azure.net/*:443
此外,檢查憑證撤銷清單可能會在連接埠 80 上產生 HTTP 流量。
注意
在防火牆或 Proxy 伺服器後方使用適用於 Microsoft Azure Key Vault 的 SQL Server 連接器時,如果流量延遲或遭封鎖,可能會影響效能。 熟悉在防火牆後存取 Azure Key Vault,以便確保正確規則已就緒。
如何透過 HTTP(S) Proxy 伺服器連線至 Azure Key Vault? 連接器會使用 Internet Explorer 的 Proxy 組態設定。 這些設定可以透過群組原則或登錄來控制,但請務必注意,其非全系統的設定,必須以執行 SQL Server 執行個體的服務帳戶為目標。 如果資料庫管理員在 Internet Explorer 中檢視或編輯這些設定,其只會影響該資料庫管理員的帳戶,不會影響 SQL Server 引擎。 不建議使用服務帳戶以互動方式登入伺服器,而且許多安全環境都會禁止此做法。 對已設定的 Proxy 設定所做的變更,需要重新啟動 SQL Server 執行個體才會生效,因為系統會在連接器首次嘗試連線至金鑰保存庫時快取這些變更。
SQL Server 連接器支援 Azure Key Vault 中的哪些金鑰大小? 最新組建的 SQL Server 連接器支援大小為 2048 和 3072 的 Azure Key Vault 金鑰。
注意
sys.asymmetric_keys 系統檢視會傳回密鑰大小為 2048,即使使用金鑰大小 3072 也一樣。
什麼是 SQL Server 中每個設定步驟所需的最低權限等級?
雖然您能以 sysadmin 固定伺服器角色的成員身分執行所有設定步驟,但是 Microsoft 鼓勵您將自己所使用的權限降至最低。 下列清單定義每個動作的最小權限層級。
若要建立密碼編譯提供者,需要
CONTROL SERVER權限或 sysadmin 固定伺服器角色中的成員資格。若要變更組態選項並執行
RECONFIGURE陳述式,您必須獲授與ALTER SETTINGS伺服器層級權限。 sysadmin 和ALTER SETTINGSserveradmin 固定伺服器角色會隱含 權限。若要建立認證,需要
ALTER ANY CREDENTIAL權限。若要新增登入的認證,需要
ALTER ANY LOGIN權限。若要建立非對稱金鑰,需要
CREATE ASYMMETRIC KEY權限。
如何變更預設的 Microsoft Entra 目錄,在相同的訂用帳戶中建立金鑰保存庫,讓該目錄變成我為 SQL Server 連接器建立的服務主體?
移至 Azure 入口網站。
在頁面右上角,選取設定圖示或使用者設定檔。
在 [目錄 + 訂用帳戶] 頁面上,選取 [所有目錄] 以查看您所屬的所有 Microsoft Entra 目錄。
如果您有多個目錄,您可以變更啟動目錄,或切換至不同的目錄。
注意
您可能沒有實際變更 Azure 訂用帳戶上預設目錄的許可權。 在此情況下,請在您的預設目錄中建立 Microsoft Entra 服務主體,讓它和稍後要用的 Azure Key Vault 位於相同的目錄。
若要深入了解 Microsoft Entra ID,請參閱 Azure 訂用帳戶與 Microsoft Entra ID 的關聯方式。
C. SQL Server Connector 的錯誤碼說明
注意
雖然 Microsoft Entra ID 是 Azure Active Directory(Azure AD)的新名稱,但為了防止破壞現有的環境,Azure AD 仍會保留在某些硬式編碼元素中,例如 UI 字段、連線提供者、錯誤碼和 Cmdlet。 在本文中,這兩個名稱是可互換的。
提供者錯誤碼:
| 錯誤碼 | 符號 | 描述 |
|---|---|---|
0 |
scp_err_Success |
The operation has succeeded. |
1 |
scp_err_Failure |
The operation has failed. |
2 |
scp_err_InsufficientBuffer |
This error tells engine to allocate more memory for the buffer. |
3 |
scp_err_NotSupported |
The operation is not supported. For example, the key type or algorithm specified isn't supported by the EKM provider. |
4 |
scp_err_NotFound |
The specified key or algorithm couldn't be found by the EKM provider. |
5 |
scp_err_AuthFailure |
The authentication has failed with EKM provider. |
6 |
scp_err_InvalidArgument |
The provided argument is invalid. |
7 |
scp_err_ProviderError |
There is an unspecified error happened in EKM provider that is caught by SQL engine. |
401 |
acquireToken |
Server responded 401 for the request. Make sure the client ID and secret are correct, and the credential string is a concatenation of AAD client ID and secret without hyphens. |
404 |
getKeyByName |
The server responded 404, because the key name was not found. Please make sure the key name exists in your vault. |
2049 |
scp_err_KeyNameDoesNotFitThumbprint |
The key name is too long to fit into SQL engine's thumbprint. The key name must not exceed 26 characters. |
2050 |
scp_err_PasswordTooShort |
The secret string that is the concatenation of AAD client ID and secret is shorter than 32 characters. |
2051 |
scp_err_OutOfMemory |
SQL engine has run out of memory and failed to allocate memory for EKM provider. |
2052 |
scp_err_ConvertKeyNameToThumbprint |
Failed to convert key name to thumbprint. |
2053 |
scp_err_ConvertThumbprintToKeyName| Failed to convert thumbprint to key name. |
|
2057 |
scp_err_ThumbprintExistedInRegistry |
The key thumbprint already exists in Windows registry mapped to a different key URI. |
2058 |
scp_err_FailureInRegistry| Failed to perform the operation in registry. SQL Server service account does not have permission to create the registry key. |
|
3000 |
ErrorSuccess |
The AKV operation has succeeded. |
3001 |
ErrorUnknown |
The AKV operation has failed with an unspecified error. |
3002 |
ErrorHttpCreateHttpClientOutOfMemory |
Cannot create an HttpClient for AKV operation due to out of memory. |
3003 |
ErrorHttpOpenSession |
Cannot open an Http session because of network error. |
3004 |
ErrorHttpConnectSession |
Cannot connect an Http session because of network error. |
3005 |
ErrorHttpAttemptConnect |
Cannot attempt a connect because of network error. |
3006 |
ErrorHttpOpenRequest |
Cannot open a request due to network error. |
3007 |
ErrorHttpAddRequestHeader |
Cannot add request header. |
3008 |
ErrorHttpSendRequest |
Cannot send a request due to network error. |
3009 |
ErrorHttpGetResponseCode |
Cannot get a response code due to network error. |
3010 |
ErrorHttpResponseCodeUnauthorized |
Server responded 401 for the request. |
3011 |
ErrorHttpResponseCodeThrottled |
Server has throttled the request. |
3012 |
ErrorHttpResponseCodeClientError |
The request sent from the connector is invalid. This usually means the key name is invalid or contains invalid characters. |
3013 |
ErrorHttpResponseCodeServerError |
Server responded a response code between 500 and 600. |
3014 |
ErrorHttpQueryHeader |
Cannot query for response header. |
3015 |
ErrorHttpQueryHeaderOutOfMemoryCopyHeader |
Cannot copy the response header due to out of memory. |
3016 |
ErrorHttpQueryHeaderOutOfMemoryReallocBuffer |
Cannot query the response header due to out of memory when reallocating a buffer. |
3017 |
ErrorHttpQueryHeaderNotFound |
Cannot find the query header in the response. |
3018 |
ErrorHttpQueryHeaderUpdateBufferLength |
Cannot update the buffer length when querying the response header. |
3019 |
ErrorHttpReadData |
Cannot read response data due to network error. |
3076 |
ErrorHttpResourceNotFound |
The server responded 404, because the key name was not found. Make sure the key name exists in your vault. |
3077 |
ErrorHttpOperationForbidden |
The server responded 403, because the user doesn't have proper permission to perform the action. Make sure you have the permission for the specified operation. At minimum, the connector requires 'get, list, wrapKey, unwrapKey' permissions to function properly. |
3100 |
ErrorHttpCreateHttpClientOutOfMemory |
Cannot create a HttpClient for AKV operation due to out of memory. |
3101 |
ErrorHttpOpenSession |
Cannot open a Http session due to network error. |
3102 |
ErrorHttpConnectSession |
Cannot connect a Http session due to network error. |
3103 |
ErrorHttpAttemptConnect |
Cannot attempt a connect due to network error. |
3104 |
ErrorHttpOpenRequest |
Cannot open a request due to network error. |
3105 |
ErrorHttpAddRequestHeader |
Cannot add request header. |
3106 |
ErrorHttpSendRequest |
Cannot send a request due to network error. |
3107 |
ErrorHttpGetResponseCode |
Cannot get a response code due to network error. |
3108 |
ErrorHttpResponseCodeUnauthorized |
Server responded 401 for the request. Make sure the client Id and secret are correct, and the credential string is a concatenation of AAD client Id and secret without hyphens. |
3109 |
ErrorHttpResponseCodeThrottled |
Server has throttled the request. |
3110 |
ErrorHttpResponseCodeClientError |
The request is invalid. This usually means the key name is invalid or contains invalid characters. |
3111 |
ErrorHttpResponseCodeServerError |
Server responded a response code between 500 and 600. |
3112 |
ErrorHttpResourceNotFound |
The server responded 404, because the key name was not found. Please make sure the key name exists in your vault. |
3113 |
ErrorHttpOperationForbidden |
The server responded 403, because the user does not have proper permission to perform the action. Please make sure you have the permission for the specified operation. At minimum,'get, wrapKey, unwrapKey' permissions are required. |
3114 |
ErrorHttpQueryHeader |
Cannot query for response header. |
3115 |
ErrorHttpQueryHeaderOutOfMemoryCopyHeader |
Cannot copy the response header due to out of memory. |
3116 |
ErrorHttpQueryHeaderOutOfMemoryReallocBuffer |
Cannot query the response header due to out of memory when reallocating a buffer. |
3117 |
ErrorHttpQueryHeaderNotFound |
Cannot find the query header in the response. |
3118 |
ErrorHttpQueryHeaderUpdateBufferLength |
Cannot update the buffer length when querying the response header. |
3119 |
ErrorHttpReadData |
Cannot read response data due to network error. |
3120 |
ErrorHttpGetResponseOutOfMemoryCreateTempBuffer |
Cannot get response body due to out of memory when creating a temp buffer. |
3121 |
ErrorHttpGetResponseOutOfMemoryGetResultString |
Cannot get response body due to out of memory when get result string. |
3122 |
ErrorHttpGetResponseOutOfMemoryAppendResponse |
Cannot get response body due to out of memory when appending response. |
3200 |
ErrorGetAADValuesOutOfMemoryConcatPath |
Cannot get Azure Active Directory challenge header values due to out of memory when concatenating the path. |
3201 |
ErrorGetAADDomainUrlStartPosition |
Cannot find the starting position for Azure Active Directory domain Url in malformatted response challenge header. |
3202 |
ErrorGetAADDomainUrlStopPosition |
Cannot find the ending position for Azure Active Directory domain Url in malformatted response challenge header. |
3203 |
ErrorGetAADDomainUrlMalformatted |
The Azure Active Directory response challenge header is malformatted and doesn't contain the AAD domain Url. |
3204 |
ErrorGetAADDomainUrlOutOfMemoryAlloc |
Out of memory when allocating buffer for Azure Active Directory domain Url. |
3205 |
ErrorGetAADTenantIdOutOfMemoryAlloc |
Out of memory when allocating buffer for Azure Active Directory tenantId. |
3206 |
ErrorGetAKVResourceUrlStartPosition |
Cannot find the starting position for Azure Key Vault resource Url in malformatted response challenge header. |
3207 |
ErrorGetAKVResourceUrlStopPosition |
Cannot find the ending position for Azure Key Vault resource Url in malformatted response challenge header. |
3208 |
ErrorGetAKVResourceUrlOutOfMemoryAlloc |
Out of memory when allocating buffer for Azure Key Vault resource Url. |
3300 |
ErrorGetTokenOutOfMemoryConcatPath |
Cannot get token due to out of memory when concatenating the request path. |
3301 |
ErrorGetTokenOutOfMemoryConcatBody |
Cannot get token due to out of memory when concatenating the response body. |
3302 |
ErrorGetTokenOutOfMemoryConvertResponseString |
Cannot get token due to out of memory when converting the response string. |
3303 |
ErrorGetTokenBadCredentials |
Cannot get token due to incorrect credentials. Make sure the credential string or certificate is valid. |
3304 |
ErrorGetTokenFailedToGetToken |
While the credentials are correct, the operation still failed to get a valid token. |
3305 |
ErrorGetTokenRejected |
The token is valid but is rejected by server. |
3306 |
ErrorGetTokenNotFound |
Cannot find the token in response. |
3307 |
ErrorGetTokenJsonParser |
Cannot parse the JSON response of server. |
3308 |
ErrorGetTokenExtractToken |
Cannot extract the token from the JSON response. |
3400 |
ErrorGetKeyByNameOutOfMemoryConvertResponseString |
Cannot get the key by name due to out of memory converting the response string. |
3401 |
ErrorGetKeyByNameOutOfMemoryConcatPath |
Cannot get the key by name due to out of memory when concatenating the path. |
3402 |
ErrorGetKeyByNameOutOfMemoryConcatHeader |
Cannot get the key by name due to out of memory when concatenating the header. |
3403 |
ErrorGetKeyByNameNoResponse |
Cannot get the key by name due to no response from server. |
3404 |
ErrorGetKeyByNameJsonParser |
Cannot get the key by name due to failed to parse the JSON response. |
3405 |
ErrorGetKeyByNameExtractKeyNode |
Cannot get the key by name due to failed to extract the key node from the response. |
3406 |
ErrorGetKeyByNameExtractKeyId |
Cannot get the key by name due to failed to extract the key Id from the response. |
3407 |
ErrorGetKeyByNameExtractKeyType |
Cannot get the key by name due to failed to extract the key type from the response. |
3408 |
ErrorGetKeyByNameExtractKeyN |
Cannot get the key by name due to failed to extract the key N from the response. |
3409 |
ErrorGetKeyByNameBase64DecodeN |
Cannot get the key by name due to failed to Base64 decode the N. |
3410 |
ErrorGetKeyByNameExtractKeyE |
Cannot get the key by name due to failed to extract the key E from the response. |
3411 |
ErrorGetKeyByNameBase64DecodeE |
Cannot get the key by name due to failed to Base64 decode the E. |
3412 |
ErrorGetKeyByNameExtractKeyUri |
Cannot extract the key Uri from the response. |
3500 |
ErrorBackupKeyOutOfMemoryConvertResponseString |
Cannot back up key due to out of memory when converting the response string. |
3501 |
ErrorBackupKeyOutOfMemoryConcatPath |
Cannot back up key due to out of memory when concatenating the path. |
3502 |
ErrorBackupKeyOutOfMemoryConcatHeader |
Cannot back up key due to out of memory when concatenating the request header. |
3503 |
ErrorBackupKeyNoResponse |
Cannot back up key due to no response from server. |
3504 |
ErrorBackupKeyJsonParser |
Cannot back up key due to failed to parse the JSON response. |
3505 |
ErrorBackupKeyExtractValue |
Cannot back up key due to failed to extract the value from JSON response. |
3506 |
ErrorBackupKeyBase64DecodeValue |
Cannot back up key due to failed to Base64 decode the value field. |
3600 |
ErrorWrapKeyOutOfMemoryConvertResponseString |
Cannot wrap key due to out of memory when converting response string. |
3601 |
ErrorWrapKeyOutOfMemoryConcatPath |
Cannot wrap key due to out of memory when concatenating the path. |
3602 |
ErrorWrapKeyOutOfMemoryConcatHeader |
Cannot wrap key due to out of memory when concatenating the header. |
3603 |
ErrorWrapKeyOutOfMemoryConcatBody |
Cannot wrap key due to out of memory when concatenating the body. |
3604 |
ErrorWrapKeyOutOfMemoryConvertEncodedBody |
Cannot wrap key due to out of memory when converting the encoded body. |
3605 |
ErrorWrapKeyBase64EncodeKey |
Cannot wrap key due to failed to Base64 encode the key. |
3606 |
ErrorWrapKeyBase64DecodeValue |
Cannot wrap key due to failed to Base64 decode the response value. |
3607 |
ErrorWrapKeyJsonParser |
Cannot wrap key due to failed to parse the JSON response. |
3608 |
ErrorWrapKeyExtractValue |
Cannot wrap key due to failed to extract value from response. |
3609 |
ErrorWrapKeyNoResponse |
Cannot wrap key due to no response from server. |
3700 |
ErrorUnwrapKeyOutOfMemoryConvertResponseString |
Cannot unwrap key due to out of memory when converting response string. |
3701 |
ErrorUnwrapKeyOutOfMemoryConcatPath |
Cannot unwrap key due to out of memory when concatenating the path. |
3702 |
ErrorUnwrapKeyOutOfMemoryConcatHeader |
Cannot unwrap key due to out of memory when concatenating the header. |
3703 |
ErrorUnwrapKeyOutOfMemoryConcatBody |
Cannot unwrap key due to out of memory when concatenating the body. |
3704 |
ErrorUnwrapKeyOutOfMemoryConvertEncodedBody |
Cannot unwrap key due to out of memory when converting the encoded body. |
3705 |
ErrorUnwrapKeyBase64EncodeKey |
Cannot unwrap key due to failed to Base64 encode the key. |
3706 |
ErrorUnwrapKeyBase64DecodeValue |
Cannot unwrap key due to failed to Base64 decode the response value. |
3707 |
ErrorUnwrapKeyJsonParser |
Cannot unwrap key due to failed to extract value from response. |
3708 |
ErrorUnwrapKeyExtractValue |
Cannot unwrap key due to failed to extract value from response. |
3709 |
ErrorUnwrapKeyNoResponse |
Cannot unwrap key due to no response from server. |
3800 |
ErrorSecretAuthParamsGetRequestBody |
Error creating request body using AAD clientId and secret. |
3801 |
ErrorJWTTokenCreateHeader |
Error creating JWT token header for authentication with AAD. |
3802 |
ErrorJWTTokenCreatePayloadGUID |
Error creating GUID for JWT token payload for authentication with AAD. |
3803 |
ErrorJWTTokenCreatePayload |
Error creating JWT token payload for authentication with AAD. |
3804 |
ErrorJWTTokenCreateSignature |
Error creating JWT token signature for authentication with AAD. |
3805 |
ErrorJWTTokenSignatureHashAlg |
Error getting SHA256 hash algorithm for authentication with AAD. |
3806 |
ErrorJWTTokenSignatureHash |
Error creating SHA256 hash for JWT token authentication with AAD. |
3807 |
ErrorJWTTokenSignatureSignHash |
Error signing JWT token hash for authentication with AAD. |
3808 |
ErrorJWTTokenCreateToken |
Error creating JWT token for authentication with AAD. |
3809 |
ErrorPfxCertAuthParamsImportPfx |
Error importing Pfx certificate for authentication with AAD. |
3810 |
ErrorPfxCertAuthParamsGetThumbprint |
Error getting thumbprint from Pfx certificate for authentication with AAD. |
3811 |
ErrorPfxCertAuthParamsGetPrivateKey |
Error getting private key from Pfx certificate for authentication with AAD. |
3812 |
ErrorPfxCertAuthParamsSignAlg |
Error getting RSA signing algorithm for Pfx certificate authentication with AAD. |
3813 |
ErrorPfxCertAuthParamsImportForSign |
Error importing Pfx private key for RSA signing for authentication with AAD. |
3814 |
ErrorPfxCertAuthParamsCreateRequestBody |
Error creating request body from Pfx certificate for authentication with AAD. |
3815 |
ErrorPEMCertAuthParamsGetThumbprint |
Error Base64 decoding Thumbprint for authentication with AAD. |
3816 |
ErrorPEMCertAuthParamsGetPrivateKey |
Error getting RSA private key from PEM for authentication with AAD. |
3817 |
ErrorPEMCertAuthParamsSignAlg |
Error getting RSA signing algorithm for PEM private key authentication with AAD. |
3818 |
ErrorPEMCertAuthParamsImportForSign |
Error importing PEM private key for RSA signing for authentication with AAD. |
3819 |
ErrorPEMCertAuthParamsCreateRequestBody |
Error creating request body from PEM private key for authentication with AAD. |
3820 |
ErrorLegacyPrivateKeyAuthParamsSignAlg |
Error getting RSA signing algorithm for Legacy private key authentication with AAD. |
3821 |
ErrorLegacyPrivateKeyAuthParamsImportForSign |
Error importing Legacy private key for RSA signing for authentication with AAD. |
3822 |
ErrorLegacyPrivateKeyAuthParamsCreateRequestBody |
Error creating request body from Legacy private key for authentication with AAD. |
3900 |
ErrorAKVDoesNotExist |
Error internet name not resolved. This typically indicates the Azure Key Vault is deleted. |
4000 |
ErrorCreateKeyVaultRetryManagerOutOfMemory |
Cannot create a RetryManager for AKV operation due to out of memory. |
如果您沒有在此資料表中看到錯誤碼,以下是錯誤可能發生的其他一些原因:
您可能沒有因特網存取權,而且無法存取您的 Azure Key Vault。 請檢查網際網路連線。
Azure Key Vault 服務可能會關閉。 檢閱 azure.status.microsoft
。 請在其他時間再試一次。 您可能已經從 Azure Key Vault 或 SQL Server 刪除非對稱密鑰。 請還原金鑰。
如果收到「無法載入程式庫」錯誤,請確定您已根據所執行之 SQL Server 版本安裝正確版本的 Visual Studio C++ 可轉散發套件。 下表指定要從下載中心Microsoft安裝的版本。
Windows 事件記錄檔也會記錄與 SQL Server 連接器相關聯的錯誤,這可以協助提供錯誤實際發生原因的額外內容。 Windows 應用程式事件記錄檔中的來源將會是「適用於 Microsoft Azure Key Vault 的 SQL Server 連接器」。
適用於 SQL Server 連接器 1.0.5.0 的 C++ 執行階段程式庫
| SQL Server 版本 | 使用 SQL Server 連接器 1.0.5.0 時可轉散發的安裝連結 |
|---|---|
| 2008、2008 R2、2012、2014 | 適用於 Visual Studio 2013 的 Visual C++ 可轉散發套件 |
| 2016、2017、2019 | 適用於 Visual Studio 2015 的 Visual C++ 可轉散發套件 |
適用於 SQL Server 連接器 1.0.4.0 的 C++ 執行階段程式庫
| SQL Server 版本 | 使用 SQL Server 連接器 1.0.4.0 時可轉散發的安裝連結 |
|---|---|
| 2008、2008 R2、2012、2014、2016、2017、2019 | 適用於 Visual Studio 2013 的 Visual C++ 可轉散發套件 |
其他參考
深入了解可延伸金鑰管理
支援 EKM 的 SQL 加密︰
相關的 Transact-SQL 命令:
Azure 金鑰保存庫文件:
PowerShell Azure 金鑰保存庫 Cmdlet 參考
相關內容
- 使用 Azure Key Vault 進行可延伸的密鑰管理 (SQL Server)
- 搭配使用 SQL Server 連接器與 SQL 加密功能
- 已啟用 EKM 提供者(伺服器設定選項)
- 使用 Azure Key Vault 設定 SQL Server TDE 可延伸密鑰管理
- 如需其他範例指令碼,請參閱 SQL Server 透明資料加密和使用 Azure Key Vault 進行可延伸金鑰管理部落格文章