403 Forbidden when connecting to Azure Storage with Application Insights Web Tracking HTTP Module

[phawrylak]

Category

• Question
• Typo
• Bug
• Additional article idea

Expected or Desired Behavior

Connection to Azure Storage should be possible when Application Insights Web Tracking HTTP Module is enabled.

Observed Behavior

Connecting to Azure Storage with Application Insights Web Tracking HTTP Module enabled ends with 403 Forbidden error: "The MAC signature found in the HTTP request is not the same as any computed signature".

Steps to Reproduce

1. Create ASP.NET MVC 5 project.
2. Install/update Microsoft.ApplicationInsights.Web@2.4.0 and WindowsAzure.Storage@8.1.4 from NuGet.
3. Verify that following entry for ApplicationInsightsWebTracking is present in web.config (configuration/system.webServer/modules):

      <remove name="ApplicationInsightsWebTracking" />
      <add name="ApplicationInsightsWebTracking" type="Microsoft.ApplicationInsights.Web.ApplicationInsightsHttpModule, Microsoft.AI.Web" preCondition="managedHandler" />

4. Add following connection string to web.config (configuration/connectionStrings):
   <add name="StorageConnectionString" connectionString="UseDevelopmentStorage=true" />

5. Try to create new Azure BLOB Storage container using following code:

CloudStorageAccount storageAccount = CloudStorageAccount.Parse(
    ConfigurationManager.ConnectionStrings["StorageConnectionString"].ConnectionString);
CloudBlobClient blobClient = storageAccount.CreateCloudBlobClient();
CloudBlobContainer container = blobClient.GetContainerReference("mycontainer");
container.CreateIfNotExists();

6. Exception is thrown, because Application Insights Web Tracking HTTP Module modifies request's HTTP Headers after signature generation.

Version

ASP.NET MVC 5
Microsoft.ApplicationInsights.Web@2.4.0
WindowsAzure.Storage@8.1.4
Azure Storage Emulator@5.1

[cormacpayne]

@blueww Hey Wei, would you mind taking a look at this issue?

[phawrylak]

To clarify, the problem wasn't related to real Azure Storage, but to Azure Storage Emulator. It was fixed in newest Microsoft.ApplicationInsights.Web NuGet package by adding localhost and 127.0.0.1 to ExcludeComponentCorrelationHttpHeadersOnDomains in ApplicationInsights.config template. Therefore I close this issue.

[benjamin-goldman]

@phawrylak @cormacpayne not sure how a workaround is being considered a fix. Can resolving this remain an issue and can we expect it to be resolved in future versions? I would hope so.

[timosnel]

@phawrylak I don't see how this is just a problem with the emulator. I'm running into this problem when connecting to actual Azure Storage, as I described on StackOverflow here

[buxbuxbuxbuxbux]

I have upgraded Insights to version 2.4 and had seen the problem (using real azure storage, not an emulator). 2.3 version works fine.

[martijnbrands1978]

Hello we had a the same problem. Get always 403. After debugging for days I found that application insights added headers for the outging requests (because we track dependencies) to BLOB storage. Therefore the computed signature is not the same as the one in the. When I compare ApplicationInsights.config from environments where we don't have problems I see that we missed this part

<TelemetryModules> <Add Type="Microsoft.ApplicationInsights.DependencyCollector.DependencyTrackingTelemetryModule, Microsoft.AI.DependencyCollector"> <ExcludeComponentCorrelationHttpHeadersOnDomains> <Add>core.windows.net</Add> <Add>core.chinacloudapi.cn</Add> <Add>core.cloudapi.de</Add> <Add>core.usgovcloudapi.net</Add> <Add>localhost</Add> <Add>127.0.0.1</Add> </ExcludeComponentCorrelationHttpHeadersOnDomains> </Add>
you see core.windows.net is excluded now, after this all worked fine.

[peterjohnsonme]

@martijnbrands1978 Confirmed that fix too. Thanks!

[vbl11987]

@martijnbrands1978 Confirmed, that fix the error, I couldn't create or make any write operations on containers or blobs. Thanks!!

[sajints]

@martijnbrands1978 , thank you so much. That fixed the error, I was getting 403 exception while calling blob storage :)

[praneshas1990]

@martijnbrands1978 , thanks for the solution, i've used the below to ensure requests to storage account don't get any headers added by app insights

<TelemetryModules> 
<Add Type="Microsoft.ApplicationInsights.DependencyCollector.DependencyTrackingTelemetryModule, Microsoft.AI.DependencyCollector"> 
<ExcludeComponentCorrelationHttpHeadersOnDomains>
<Add>core.windows.net</Add>
</Add>

Other than the headers not being added, is there any other impact to app insights and dependency tracking by doing this fix.
Since i have to go and change each and every applicationinsights.config in all my apps, is there something we can do to implement a fix without this overhead.