Early technical preview of JDBC Driver 9.3.0 for SQL Server released

This article is contributed. See the original author and article here.

We have released a new early technical preview of the JDBC Driver for SQL Server which contains a few additions and changes.


Precompiled binaries are available on GitHub and also on Maven Central.

Below is a summary of the new additions and changes.


  • Added Open Connection Retry feature #1535

  • Added server recognition for Azure Synapse serverless SQL pool, and Azure SQL Edge #1543


  • Fixed potential integer overflow in TDSWriter.writeString() #1531

Getting the latest release

The latest bits are available on our GitHub repository, and Maven Central.

Add the JDBC preview driver to your Maven project by adding the following code to your POM file to include it as a dependency in your project (choose .jre8, .jre11, or .jre15 for your required Java version).






Help us improve the JDBC Driver by taking our survey, filing issues on GitHub or contributing to the project.

Please also check out our tutorials to get started with developing apps in your programming language of choice and SQL Server.

David Engel

DKE Troubleshooting

DKE Troubleshooting

This article is contributed. See the original author and article here.

The following blog post helps you troubleshoot the reference implementation for DKE. Some of this information may apply to DKE partner implementations as well, but it covers primarily the reference implementation hosted in Azure or on IIS. At any rate, this guide does not replace the official documentation

This blog post consists of three parts:

Part A: Checklist

Part B: Useful tools for troubleshooting DKE

Part C: Step by step troubleshooting guide


Part A: Checklist

After installing / configuring DKE using the official documentation, going through this checklist will help you in identifying and correcting errors in your setup.

The troubleshooting guide below refers to some of the steps in this checklist, using the codes prepended to the titles of the sections (e.g. «CL1»).


CL1: Office version

DKE is supported on Microsoft 365 Apps for enterprise version 2009 or later. Here’s how you check the version:



CL2: DKE URL in root

The DKE service URL needs to be based on the root level, i.e. not a sub directory:


CL3: No trailing slash in DKE URL

The DKE URL must not contain a trailing slash:


CL4: Outbound connectivity to Azure AD

In order to perform Azure AD authentication, the DKE service needs to have transparent outbound connectivity as described in box 56 of our documentation:


By adapting the source code of the DKE reference implementation, you may also use a forward proxy. The necessary changes have been implemented in an open pull request. Please observe that an anonymous proxy is required for this, i.e. a proxy that allows access to the necessary URLs without authentication.


CL5: Permissions in the sensitivity label used for DKE

The sensitivity label used for DKE protection needs to provide sufficient permissions for all intended recipients of the documents. During the test phase, it’s suggested to grant permission to the whole tenant:



After DKE has been tested successfully, it’s good practice to remove permissions on the sensitivity label for users and groups that are not allowed to access the DKE service.


CL6: Web application configuration

In the «Authentication» section of the DKE web application registration, verify that the redirect URI does not contain a trailing slash (see also CL3):



In the section “API permissions”, make sure the whole tenant has been granted consent to “User.Read”:



Check that these points have been addressed in the section “Expose an API”:

  • The “Application ID URI” is configured as the DKE URL.

  • Client Ids are registered both for Office (d3590ed6-52b3-4102-aeff-aad2292ab01c) and the AIP (Azure Information Protection) client (c00e9d32-3c8d-4a7d-832b-029040e7db99).



CL7: Recipients are allowed to use the DKE service

The DKE service authorizes users either via a list of email addresses or via membership in a local AD group. Either way, you have to ensure all test users are allowed to access the DKE service.
If you use email-based authorization, make sure email addresses of all users are included in the list of email addresses in the configuration file. Please observe that each individual user email address needs to be in quotes, e.g. [“jane.doe@contoso.com”,”albert.smith@contoso.com”].


CL8: Client connectivity to DKE and Azure AD

For acquiring the public key and for decrypting existing keys, clients needs to be able to reach the DKE service. To allow authentication, clients also require access to Azure AD.
Both transparent connectivity and forward proxies (with or without authentication) are supported.


CL9: DKE-related registry values are set on each client

Ensure the following registry values are defined on each client, please observe that some of the registry keys may also need to be created:



CL10: Tenant is listed in the TrustedIssuers value

Check the following setting in the ‘TokenValidationParameters’ section of the DKE configuration file:
In ‘ValidIssuers’, your Azure AD tenant needs to be listed (e.g. «https://sts.windows.net/ 7d024093-e9a7-47e4-a205-bbbd4eed8e3a/»).


Part B: Useful tools for troubleshooting DKE

The following tools have proven to be useful in debugging DKE installations.
Codes prepended to the titles of the sections (e.g. «T4») are again referenced in the step by step troubleshooting guide.


T1: Fiddler trace

Fiddler allows you to see the communication between the client and the DKE service in detail. To get a trace, consider performing the following steps:

  1. Install and launch Fiddler, available on https://www.telerik.com/fiddler.

  2. Select «ToolsOptions», switch to tab «HTTPS», check option «Decrypt HTTPS» traffic, click OK and acknowledge prompts for installing a root certificate.

  3. Try to reproduce the issue you want to debug.

In a Fiddler trace, you may check the communication with the DKE service.


T2: Export AIP Logs

In the Word toolbar, select «Sensitivity». Choose option «Help and Feedback» and click on «Export Logs»:


The ZIP file contains the relevant logs, for instance the MSIPC logs which cover DKE activity of the client.


T3: Web Server Logs

The web server logs show two kinds of activities:

  1. Clients downloading the public key (when protecting content with DKE)

  2. DKE clients attempting to run decrypt operations (when opening DKE protected content)

Repeated attempts for decrypt operations where the server responds with 401 would indicate authentication issues.
If clients fail to protect content with DKE labels and there’s no activity in the web server logs, likely there’s a misconfiguration or a connectivity issue.


T4: Event logs

Check the event logs for any exception messages.
If you installed the DKE service on IIS, you’ll find the event log in «Windows Event Viewer», «Application log».
If you’re hosting the DKE service on an Azure web app, you’ll find the event log as follows:

  1. Go to your App Service

  2. Open left-hand menu, “Diagnose and solve problems”

  3. Select «Diagnostic Tools» (in the main pane)

  4. Open «Support Tools/Application Event Logs» on the left-hand menu of the new screen


Part C: Step by Step guide

In order to narrow down which piece is missing, we suggest to perform the troubleshooting in the following order:

  1. Check the web site with the validation script.

  2. Try to save a document protected with a DKE label.

  3. Have another user open a DKE protected document.

  4. Let a user re-label a DKE protected document by right-clicking the document and selecting «classify and protect».

Some resolution steps refer to checklist items and tools. The reference uses codes that are prepended to the titles of the checklist items (e.g. «CL1») and tools (e.g. «T4»).


Step 1: Check the web site with the validation script

We suggest to run the validation script:

[…]DoubleKeyEncryptionServicesrccustomer-key-storescripts> .key_store_tester.ps1 <DKE URL>/<Key>

If this is successful, please proceed with step 2.

However you may see the following output:

Validation request started: <DKE URL>/<Key>
Validation failure: Unable to access the provided url Not Found

Similarly, a 404 error is issued when you open the URL in a web browser.
This indicates one of the following issues:

Potential issue

Suggested resolution steps

The URL is not correct.

Double-check the URL

There’s an internal exception in the web site.

Check the event log on the DKE service (see tool T4)


Step 2: Try to save a document protected with a DKE label

(Ensure the DKE label has defined «Allow offline access:» as «Always».)
Saving the document successfully shows the client can reach the DKE service anonymously and the service provides a suitable RSA key. In this case, please proceed with step 3.
But you might encounter this behavior:
Despite having ample space on a disk (or on OneDrive), the following message is shown when saving a DKE protected document: «Word cannot save or create this file. Make sure the disk you want to save the file on it is not full, write-protected, or damaged.»
This indicates one of the following issues:

Potential issue

Suggested resolution steps

The client is not configured to use DKE.

Re-check the Office version (see checklist item CL1).

Verify the DKE registry keys have been imported on the client (see checklist item CL9).

The client cannot reach the DKE service

On the client, try opening the DKE-URL configured in the sensitivity label. If that fails, fix the network issue as needed.


Step 3: Have another user open a DKE protected document.

If user1 protects a document with DKE and user2 succeeds in opening this document, users can be authenticated to DKE. In this case you may proceed with step 4.
But a user trying to open a DKE document not protected by herself may see the following error message:
«You are not signed in to Office with an account that has permission to open this document. You may sign in a new account into Office that has permission or request permission from the content owner.»
This indicates one of the following issues:

Potential issue

Suggested resolution steps

The user hasn’t been granted permission in the sensitivity label.

During tests, try granting the whole tenant access in the sensitivity label permissions (see checklist item CL5).

The DKE service URL contains a sub-folder.

Verify that the DKE URL consists of the FQDN only (see checklist item CL2).

The web application isn’t configured correctly.

Check the settings in the web application (see checklist item CL6).

The DKE service is hosted on IIS, but it cannot reach Azure AD due to lacking outbound Internet connectivity.

Check for exception «System.InvalidOperationException: IDX20803: Unable to obtain configuration» in the event viewer (see tool T4).

If this exception occurs, make sure the DKE service has outbound connectivity.

The configuration file doesn’t grant permission for the tenant.

Ensure «TrustedIssuers» contains the tenant specific URL (see checklist item CL10).

DKE doesn’t authorize the user to access the service.

Check the authorization option (see checklist item CL7).


Step 4: Let a user re-label her own DKE protected document with right-click, «classify and protect».

(For this test, the user has protected the document herself in Office.)
If the user succeeds in re-labeling this protected document with right-click, the AIP client is also registered with the web application and an Office version supporting DKE is installed.
However, the user may see the following error message in the AIP client:
«An unknown error occurred. If this problem persists, contact your administrator or help desk.»
This indicates one of the following issues:

Potential issue

Suggested resolution steps

The client doesn’t have the correct Office version installed.

Re-check the Office version (see checklist item CL1).

The AIP client is not registered in the web application.

Check whether the client ID for the AIP client has also been registered in the web application (see checklist item CL6).


Meet the 2021 Imagine Cup Top 4 teams!

Meet the 2021 Imagine Cup Top 4 teams!

This article is contributed. See the original author and article here.

For the 19th annual Imagine Cup, thousands of student developers from around the world submitted impactful tech innovations. Teams were challenged to bring an idea to life that tackles a local or global issue in one of four competition categories: Earth, Education, Healthcare, and Lifestyle. Out of 40 World Finalists that pitched their projects at the World Finals, four teams were selected to advance.


These teams have reimagined solutions for issues in sustainable farming, remote learning and teaching, access to healthcare, accessibility, and that brings purpose and meaning to our lives. At the core of the solutions is innovative and original use of Azure technology, including IoT, Artificial Intelligence, App Services, Visual Studio Code, and so much more.  


Meet the Top 4 teams!


ProTag_New (1).jpg

Team ProTag, New Zealand 

Earth category

Project: ProTag


Project description: ProTag is a smart ear tag for livestock that can detect the early onset of illness in real time – lowering costs and increasing welfare. Embedded temperature, movement, and location sensors collect data that is analyzed onboard to identify animal behaviors such as chewing, walking, and sleeping. This semi-processed data is transmitted over LoRaWAN to a cloud database, to be combined with farm features and feed into AI models trained to detect illnesses. Keeping animals healthy doesn’t just improve welfare; it increases productivity, leading to a more sustainable way of farming. Team member Tyrel Glass shared that, “The recent explosion of AI and IoT presents a unique opportunity to rethink the way farming is approached. We can put a small, low-cost ear tag on livestock that provides farmers with the insights they need to manage or even prevent illnesses. It’s an exciting, fast-paced space tackling some of the big sustainability issues we face in feeding a growing global population.” 


After being selected for the top 4, ProTag shared, “It’s an awesome validation that our idea has some good merit, and we’re excited to take it further.” Looking forward to the World Championship in May, they say, “We’re excited for the mentorship and to take the idea we’ve got now and polish it over the next six weeks.”


Hands-On Labs (1).jpg

Team Hand-On Labs, United States

Education category

Project: Hands-On Labs


Project description: Hands-On Labs is a set of remote laboratories that allow students to observe and remotely control physical tools online in real-time for their courses. The team aims to provide an active learning experience to students from any background all around the world. The platform uses Azure App Services, Storage, and Visual Studio to allow unprecedented control over various aspects such as lighting levels, camera angles, audio controls, and various control modes. The team believe that remote learning should be accessible to all students, sharing, We need to bring active learning to students fingertips in order to raise leaders of tomorrows who can experiment, solve problems and are not afraid of making mistakes as they can observe and learn from them”. 


After finding out they were selected to advance, the team shared, “It’s an honor for us to be among all these amazing students. We both come from underprivileged communities and we want to make sure everyone has access to the education they deserve.” 


REWEBA (1).jpg

Team REWEBA, Kenya

Healthcare category

Project: REWEBA


Project description: REWEBA is an IoT-based early warning system for babies. It remotely monitors infant parameters during regular post-natal screening. The IoT device is used to measure infant parameters and sends measurements to doctors remotely, allowing for immediate interventions saving infants from fatal diseases and reducing infant mortality rates. It combines a variety of technologies to provide innovative functionalities for infant screening. The team are committed to solving problems faced by infants and parents in their community, sharing that “Sub-Saharan Africa remains the region with the highest under-5 mortality rate in the world. We can solve this problem using REWEBA, a remote infant monitoring system that can be used in marginalized areas thus giving everyone equal access to healthcare.” 


After being selected for the top 4, the team said, “We have no words, it means a lot.” Looking ahead to the World Championship, the team are “…very excited to work with mentors {moving forwards} and give it our best.”


Threeotech_New (1).jpg

Team Threeotech, Thailand

Lifestyle category

Project: JustSigns


Project description: JustSigns is a web application for content creators to create sign language captions to improve media accessibility for hard of hearing viewers. JustSigns accepts Youtube video URLs, retrieves video captions, and translates all the sentences into Thai sign language grammar. Then, the application will generate a 3D sign language animation which the user can view side by side with the original video. The team’s goal is to make media accessible for all, sharing that, “We believe that our solution could radically transform the way hearing-impaired people live, work and play by allowing them to learn new things and improve themselves, to enjoy movies that they’ve never really understood before, and to explore what interests them as they are now able to access all media in the world”.


When they made it into the top 4, the team shared, “It’s unbelievable, it means a lot to us to be here. We think Imagine Cup is a huge competition, and we want to show the world our solution.”



Taking on the challenges they have seen in their own lives, these incredible students have brought their passion, ingenuity, and perspective to a global stage. Their ideas push the envelope on what’s possible in order to improve our society and create a brighter and more inclusive future for all.


Join us in congratulating these teams’ incredible success so far, and follow their journey on Twitter and Instagram as they head to the World Championship to compete. The 2021 World Champion will take home USD75,000 and mentorship with Microsoft CEO, Satya Nadella.


Azure Sphere OS version 21.03 is now available

This article is contributed. See the original author and article here.

The 21.03 Azure Sphere OS quality update is now available in the Retail feedThis release includes bug fixes in the Azure Sphere OS; it does not include an updated SDK. If your devices are connected to the internet, they will receive the updated OS from the cloud.


21.03 includes updates to mitigate against the following Common Vulnerabilities and Exposures (CVEs).


For more information on Azure Sphere OS feeds and setting up an evaluation device group, see Azure Sphere OS feeds and Set up devices for OS evaluation.


For self-help technical inquiries, please visit Microsoft Q&A or Stack Overflow. If you require technical support and have a support plan, please submit a support ticket in Microsoft Azure Support or work with your Microsoft Technical Account Manager. If you would like to purchase a support plan, please explore the Azure support plans.




Planner in Message center, more labels are coming for all government cloud customers.

Planner in Message center, more labels are coming for all government cloud customers.

This article is contributed. See the original author and article here.

The Microsoft Planner team is constantly striving to deliver capabilities that help you stay on top of your tasks—no matter where they originate. This was the impetus for integrating Planner and the Microsoft 365 Message center last year. IT admins were missing important Microsoft updates because there was no way to formally track them. Now, they can quickly convert Message center messages to Planner tasks to ensure every Microsoft release, from security enhancements to new features, are properly deployed.


Customer asks are another driving force behind our development strategy. It was because of users like you that we released more labels earlier this month. Since its inception, Planner has only had six labels for tagging tasks. We long heard from customers this wasn’t enough, and so in early March we expanded that number to 25, enabling teams to better categorize, filter, and find their tasks. 


And now, we’re excited to announce that both Planner in Message center and the 25 color-coded labels are coming to all Microsoft 365 and Office 365 government cloud offerings, including GCC, GCC High, and DoD. (Note, Planner in Message center has been available for GCC since December.) More labels are available now for all three offerings, while Planner in Message center is currently rolling out to GCC High and DoD.




You can now use up to 25 color-coded labels in Planner



If you’d like to keep up with Planner and other task management news, including updates to the Tasks app for Microsoft Teams, visit our Tech Community Blog webpage. And if you’re new to Planner or the Tasks app, our support pages for each—Planner here and Tasks app here—can help get you started.