Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

403 Forbidden when connecting to Azure Storage with Application Insights Web Tracking HTTP Module #3460

1 of 4 tasks
phawrylak opened this issue Jul 7, 2017 · 10 comments
1 of 4 tasks
Service Attention Storage


Copy link

@phawrylak phawrylak commented Jul 7, 2017


  • Question
  • Typo
  • Bug
  • Additional article idea

Expected or Desired Behavior

Connection to Azure Storage should be possible when Application Insights Web Tracking HTTP Module is enabled.

Observed Behavior

Connecting to Azure Storage with Application Insights Web Tracking HTTP Module enabled ends with 403 Forbidden error: "The MAC signature found in the HTTP request is not the same as any computed signature".

Steps to Reproduce

  1. Create ASP.NET MVC 5 project.
  2. Install/update Microsoft.ApplicationInsights.Web@2.4.0 and WindowsAzure.Storage@8.1.4 from NuGet.
  3. Verify that following entry for ApplicationInsightsWebTracking is present in web.config (configuration/system.webServer/modules):
      <remove name="ApplicationInsightsWebTracking" />
      <add name="ApplicationInsightsWebTracking" type="Microsoft.ApplicationInsights.Web.ApplicationInsightsHttpModule, Microsoft.AI.Web" preCondition="managedHandler" />
  1. Add following connection string to web.config (configuration/connectionStrings):
    <add name="StorageConnectionString" connectionString="UseDevelopmentStorage=true" />

  2. Try to create new Azure BLOB Storage container using following code:

CloudStorageAccount storageAccount = CloudStorageAccount.Parse(
CloudBlobClient blobClient = storageAccount.CreateCloudBlobClient();
CloudBlobContainer container = blobClient.GetContainerReference("mycontainer");
  1. Exception is thrown, because Application Insights Web Tracking HTTP Module modifies request's HTTP Headers after signature generation.


Azure Storage Emulator@5.1

@cormacpayne cormacpayne added the Storage label Jul 14, 2017
Copy link

@cormacpayne cormacpayne commented Jul 14, 2017

@blueww Hey Wei, would you mind taking a look at this issue?

Copy link

@phawrylak phawrylak commented Jul 16, 2017

To clarify, the problem wasn't related to real Azure Storage, but to Azure Storage Emulator. It was fixed in newest Microsoft.ApplicationInsights.Web NuGet package by adding localhost and to ExcludeComponentCorrelationHttpHeadersOnDomains in ApplicationInsights.config template. Therefore I close this issue.

Copy link

@benjamin-goldman benjamin-goldman commented Aug 1, 2017

@phawrylak @cormacpayne not sure how a workaround is being considered a fix. Can resolving this remain an issue and can we expect it to be resolved in future versions? I would hope so.

Copy link

@timosnel timosnel commented Aug 10, 2017

@phawrylak I don't see how this is just a problem with the emulator. I'm running into this problem when connecting to actual Azure Storage, as I described on StackOverflow here

Copy link

@buxbuxbuxbuxbux buxbuxbuxbuxbux commented Aug 14, 2017

I have upgraded Insights to version 2.4 and had seen the problem (using real azure storage, not an emulator). 2.3 version works fine.

Copy link

@martijnbrands1978 martijnbrands1978 commented Aug 16, 2017

Hello we had a the same problem. Get always 403. After debugging for days I found that application insights added headers for the outging requests (because we track dependencies) to BLOB storage. Therefore the computed signature is not the same as the one in the. When I compare ApplicationInsights.config from environments where we don't have problems I see that we missed this part

<TelemetryModules> <Add Type="Microsoft.ApplicationInsights.DependencyCollector.DependencyTrackingTelemetryModule, Microsoft.AI.DependencyCollector"> <ExcludeComponentCorrelationHttpHeadersOnDomains> <Add></Add> <Add></Add> <Add></Add> <Add></Add> <Add>localhost</Add> <Add></Add> </ExcludeComponentCorrelationHttpHeadersOnDomains> </Add>
you see is excluded now, after this all worked fine.

Copy link

@peterjohnsonme peterjohnsonme commented Sep 29, 2017

@martijnbrands1978 Confirmed that fix too. Thanks!

Copy link

@vbl11987 vbl11987 commented Feb 9, 2018

@martijnbrands1978 Confirmed, that fix the error, I couldn't create or make any write operations on containers or blobs. Thanks!!

Copy link

@sajints sajints commented Feb 26, 2018

@martijnbrands1978 , thank you so much. That fixed the error, I was getting 403 exception while calling blob storage :)

@bsiegel bsiegel added the Service Attention label Sep 26, 2018
Copy link

@praneshas1990 praneshas1990 commented Aug 28, 2020

@martijnbrands1978 , thanks for the solution, i've used the below to ensure requests to storage account don't get any headers added by app insights

<Add Type="Microsoft.ApplicationInsights.DependencyCollector.DependencyTrackingTelemetryModule, Microsoft.AI.DependencyCollector"> 

Other than the headers not being added, is there any other impact to app insights and dependency tracking by doing this fix.
Since i have to go and change each and every applicationinsights.config in all my apps, is there something we can do to implement a fix without this overhead.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Service Attention Storage
None yet

No branches or pull requests