Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

403 Forbidden when connecting to Azure Storage with Application Insights Web Tracking HTTP Module #3460

Closed
phawrylak opened this issue Jul 7, 2017 · 9 comments
Assignees

Comments

@phawrylak
Copy link

@phawrylak phawrylak commented Jul 7, 2017

Category

  • Question
  • Typo
  • Bug
  • Additional article idea

Expected or Desired Behavior

Connection to Azure Storage should be possible when Application Insights Web Tracking HTTP Module is enabled.

Observed Behavior

Connecting to Azure Storage with Application Insights Web Tracking HTTP Module enabled ends with 403 Forbidden error: "The MAC signature found in the HTTP request is not the same as any computed signature".

Steps to Reproduce

  1. Create ASP.NET MVC 5 project.
  2. Install/update Microsoft.ApplicationInsights.Web@2.4.0 and WindowsAzure.Storage@8.1.4 from NuGet.
  3. Verify that following entry for ApplicationInsightsWebTracking is present in web.config (configuration/system.webServer/modules):
      <remove name="ApplicationInsightsWebTracking" />
      <add name="ApplicationInsightsWebTracking" type="Microsoft.ApplicationInsights.Web.ApplicationInsightsHttpModule, Microsoft.AI.Web" preCondition="managedHandler" />
  1. Add following connection string to web.config (configuration/connectionStrings):
    <add name="StorageConnectionString" connectionString="UseDevelopmentStorage=true" />

  2. Try to create new Azure BLOB Storage container using following code:

CloudStorageAccount storageAccount = CloudStorageAccount.Parse(
    ConfigurationManager.ConnectionStrings["StorageConnectionString"].ConnectionString);
CloudBlobClient blobClient = storageAccount.CreateCloudBlobClient();
CloudBlobContainer container = blobClient.GetContainerReference("mycontainer");
container.CreateIfNotExists();
  1. Exception is thrown, because Application Insights Web Tracking HTTP Module modifies request's HTTP Headers after signature generation.

Version

ASP.NET MVC 5
Microsoft.ApplicationInsights.Web@2.4.0
WindowsAzure.Storage@8.1.4
Azure Storage Emulator@5.1

@cormacpayne

This comment has been minimized.

Copy link
Member

@cormacpayne cormacpayne commented Jul 14, 2017

@blueww Hey Wei, would you mind taking a look at this issue?

@phawrylak

This comment has been minimized.

Copy link
Author

@phawrylak phawrylak commented Jul 16, 2017

To clarify, the problem wasn't related to real Azure Storage, but to Azure Storage Emulator. It was fixed in newest Microsoft.ApplicationInsights.Web NuGet package by adding localhost and 127.0.0.1 to ExcludeComponentCorrelationHttpHeadersOnDomains in ApplicationInsights.config template. Therefore I close this issue.

@phawrylak phawrylak closed this Jul 16, 2017
@benjamin-goldman

This comment has been minimized.

Copy link

@benjamin-goldman benjamin-goldman commented Aug 1, 2017

@phawrylak @cormacpayne not sure how a workaround is being considered a fix. Can resolving this remain an issue and can we expect it to be resolved in future versions? I would hope so.

@timosnel

This comment has been minimized.

Copy link

@timosnel timosnel commented Aug 10, 2017

@phawrylak I don't see how this is just a problem with the emulator. I'm running into this problem when connecting to actual Azure Storage, as I described on StackOverflow here

@buxbuxbuxbuxbux

This comment has been minimized.

Copy link

@buxbuxbuxbuxbux buxbuxbuxbuxbux commented Aug 14, 2017

I have upgraded Insights to version 2.4 and had seen the problem (using real azure storage, not an emulator). 2.3 version works fine.

@martijnbrands1978

This comment has been minimized.

Copy link

@martijnbrands1978 martijnbrands1978 commented Aug 16, 2017

Hello we had a the same problem. Get always 403. After debugging for days I found that application insights added headers for the outging requests (because we track dependencies) to BLOB storage. Therefore the computed signature is not the same as the one in the. When I compare ApplicationInsights.config from environments where we don't have problems I see that we missed this part

<TelemetryModules> <Add Type="Microsoft.ApplicationInsights.DependencyCollector.DependencyTrackingTelemetryModule, Microsoft.AI.DependencyCollector"> <ExcludeComponentCorrelationHttpHeadersOnDomains> <Add>core.windows.net</Add> <Add>core.chinacloudapi.cn</Add> <Add>core.cloudapi.de</Add> <Add>core.usgovcloudapi.net</Add> <Add>localhost</Add> <Add>127.0.0.1</Add> </ExcludeComponentCorrelationHttpHeadersOnDomains> </Add>
you see core.windows.net is excluded now, after this all worked fine.

@peterjohnsonme

This comment has been minimized.

Copy link

@peterjohnsonme peterjohnsonme commented Sep 29, 2017

@martijnbrands1978 Confirmed that fix too. Thanks!

@vbl11987

This comment has been minimized.

Copy link

@vbl11987 vbl11987 commented Feb 9, 2018

@martijnbrands1978 Confirmed, that fix the error, I couldn't create or make any write operations on containers or blobs. Thanks!!

@sajints

This comment has been minimized.

Copy link

@sajints sajints commented Feb 26, 2018

@martijnbrands1978 , thank you so much. That fixed the error, I was getting 403 exception while calling blob storage :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
You can’t perform that action at this time.