Given the following code:
var blobClient = account.CreateCloudBlobClient();
var container = blobClient.GetContainerReference(containerName);
CloudBlockBlob _blockblob = container.GetBlockBlobReference(fileName);
var sharedAccessPolicy = new SharedAccessBlobPolicy
SharedAccessStartTime = DateTime.UtcNow.AddMinutes(-10),
SharedAccessExpiryTime = DateTime.UtcNow.AddMinutes(30),
Permissions = SharedAccessBlobPermissions.Read
var sharedAccessSignature = _blockblob.GetSharedAccessSignature(sharedAccessPolicy);
var link = _blockblob.Uri.AbsoluteUri + sharedAccessSignature;
a AuthenticationFailed error will occur from the link if the containerName has a trailing slash (this is allowed in all other places).
The reason for this is that the GetCanonicalName method in CloudBlockBlobBase will add a slash to the container name resulting in a double slash. This is then signed and returned in the SAS. The AbsoluteUri however will not add the extra slash and thus the signature will not be valid for the created link.
A change in GetCanonicalName to trim any trailing slash from container name would solve this.
Please recreate in https://github.com/Azure/azure-storage-net/ if still relevant.