Managed Backups to Azure - CryptDecrypt Errors in log

Hi guys,

I hope something can help me with the following issue since it has been slowly eroding my sanity this week :-)

A while ago I deployed an Azure SQL server with Managed Backups (SQLIaas Extension) enabled so it will automatically backup to an Azure Storage Account. This worked fine.

Recently I wanted to improve the way we get alerts when the backup fails. I then noticed a whole bunch of errors in the SQL Agent Log every time it does backups. At first these were "Impersonation" errors:

[298] SQLServer Error: 22046, Impersonation error. [SQLSTATE 42000]

I then changed the SQL Agent Service account back to NT Service\SQLSERVERAGENT(it was a domain account before) and the errors went away only to be replaced by the following error instead:

[442] CryptDecrypt failed (-2146893819).

Correlating the timestamp of the error to an Xevent trace I found out that the error occurs when this Stored Procedure is called:

exec managed_backup.sp_backup_config_advanced @encryption_algorithm =N'NO_ENCRYPTION',@encryptor_type =default,@encryptor_name =default,@database_name=N'dbname' 

Running this manually gives me the following error

Msg 45207, Level 17, State 17, Procedure sp_add_task_command, Line 102 [Batch Start Line 0]
The operation failed because of an internal error. Value cannot be null.
Parameter name: sasToken Please retry later. 
    at Microsoft.WindowsAzure.Storage.Auth.StorageCredentials..ctor(String sasToken)
   at Microsoft.SqlServer.SmartAdmin.SmartBackupAgent.FileService.VerifyContainerURL(String containerURL, SqlConnection conn)
   at Microsoft.SqlServer.SmartAdmin.SmartBackupAgent.SmartBackup.ConfigureDbOrInstance(SmartBackupConfigParameters config, LogBaseService jobLogger, SqlConnection conn)

And to complete the story; if I change a setting via the Azure Portal (for example at what time it should take backups) I get a similar error talking about the SAS token in the failed deployment's error details.

SQL Server IaaS Agent: The operation failed because of an internal error. Value cannot be null. Parameter name: sasToken Please retry later. 

at Microsoft.WindowsAzure.Storage.Auth.StorageCredentials..ctor(String sasToken)at Microsoft.SqlServer.SmartAdmin.SmartBackupAgent.FileService.VerifyContainerURL(String containerURL, SqlConnection conn)at Microsoft.SqlServer.SmartAdmin.SmartBackupAgent.SmartBackup.ConfigureDbOrInstance(SmartBackupConfigParameters config, LogBaseService jobLogger, SqlConnection conn);Automated Patching: Automated Patching enabled: False, Windows Update state: NotifyBeforeInstallation, VM is up to date in applying important updates.;Automatic Telemetry: Performance Collector State: Running

I've already tried removing and re-adding the extension, manually generating a SAS token and replacing the existing credential. I've also tried using a new storage account without success.  Using the query to do Ad-Hoc backups works as well so I'm sure the Credential is working correctly

EXEC managed_backup.sp_backup_on_demand @database_name = 'dbname',@type = 'Database'  

So where is the code getting the SAS token information from (so I can find out why it's getting a Null value). Any idea which DLL it's using? 

Is there a way to completely remove the Managed Backups in order to reinstall? It seems like just removing the extension just sets the backups to disabled on an instance level. 

Any help would be greatly appreciated!