Symptoms
Consider the following scenario:
-
You have Microsoft .NET Framework applications that use Always Encrypted in SQL Server 2016 or Azure SQL Database.
-
The column master keys for these applications are stored in the Azure Key Vault.
In this scenario, the applications experience deadlocks. Therefore, the applications become unresponsive (hang) or time out.
The deadlocks may occur during attempts to acquire or refresh an authentication token for the Azure Key Vault.
Cause
When an application queries encrypted columns in the database, the .NET Framework Data Provider for SQL Server calls the Azure Key Vault Provider for Always Encrypted. This, in turn, calls an application-based asynchronous task that acquires or refreshes a token for Azure Key Vault. This code path in Azure Key Vault Provider for Always Encrypted NuGet package versions 2.0.x and 1.x.x is prone to deadlocks because it calls some asynchronous methods in an incorrect manner.
Resolution
The issue was first fixed in Azure Key Vault Provider for Always Encrypted version 2.1.0. If you use Always Encrypted and Azure Key Vault Provider, we strongly recommend that you rebuild and redeploy your application so that it uses Azure Key Vault Provider for Always Encrypted version 2.1.0 or later.