Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

403 Forbidden when connecting to Azure Storage with Application Insights Web Tracking HTTP Module #3460

Closed
1 of 4 tasks
phawrylak opened this issue Jul 7, 2017 · 10 comments
Closed
1 of 4 tasks
Assignees
Labels
Service Attention Storage

Comments

@phawrylak
Copy link

@phawrylak phawrylak commented Jul 7, 2017

Category

  • Question
  • Typo
  • Bug
  • Additional article idea

Expected or Desired Behavior

Connection to Azure Storage should be possible when Application Insights Web Tracking HTTP Module is enabled.

Observed Behavior

Connecting to Azure Storage with Application Insights Web Tracking HTTP Module enabled ends with 403 Forbidden error: "The MAC signature found in the HTTP request is not the same as any computed signature".

Steps to Reproduce

  1. Create ASP.NET MVC 5 project.
  2. Install/update Microsoft.ApplicationInsights.Web@2.4.0 and WindowsAzure.Storage@8.1.4 from NuGet.
  3. Verify that following entry for ApplicationInsightsWebTracking is present in web.config (configuration/system.webServer/modules):
      <remove name="ApplicationInsightsWebTracking" />
      <add name="ApplicationInsightsWebTracking" type="Microsoft.ApplicationInsights.Web.ApplicationInsightsHttpModule, Microsoft.AI.Web" preCondition="managedHandler" />
  1. Add following connection string to web.config (configuration/connectionStrings):
    <add name="StorageConnectionString" connectionString="UseDevelopmentStorage=true" />

  2. Try to create new Azure BLOB Storage container using following code:

CloudStorageAccount storageAccount = CloudStorageAccount.Parse(
    ConfigurationManager.ConnectionStrings["StorageConnectionString"].ConnectionString);
CloudBlobClient blobClient = storageAccount.CreateCloudBlobClient();
CloudBlobContainer container = blobClient.GetContainerReference("mycontainer");
container.CreateIfNotExists();
  1. Exception is thrown, because Application Insights Web Tracking HTTP Module modifies request's HTTP Headers after signature generation.

Version

ASP.NET MVC 5
Microsoft.ApplicationInsights.Web@2.4.0
WindowsAzure.Storage@8.1.4
Azure Storage Emulator@5.1

@cormacpayne cormacpayne added the Storage label Jul 14, 2017
@cormacpayne
Copy link
Member

@cormacpayne cormacpayne commented Jul 14, 2017

@blueww Hey Wei, would you mind taking a look at this issue?

@phawrylak
Copy link
Author

@phawrylak phawrylak commented Jul 16, 2017

To clarify, the problem wasn't related to real Azure Storage, but to Azure Storage Emulator. It was fixed in newest Microsoft.ApplicationInsights.Web NuGet package by adding localhost and 127.0.0.1 to ExcludeComponentCorrelationHttpHeadersOnDomains in ApplicationInsights.config template. Therefore I close this issue.

@benjamin-goldman
Copy link

@benjamin-goldman benjamin-goldman commented Aug 1, 2017

@phawrylak @cormacpayne not sure how a workaround is being considered a fix. Can resolving this remain an issue and can we expect it to be resolved in future versions? I would hope so.

@timosnel
Copy link

@timosnel timosnel commented Aug 10, 2017

@phawrylak I don't see how this is just a problem with the emulator. I'm running into this problem when connecting to actual Azure Storage, as I described on StackOverflow here

@buxbuxbuxbuxbux
Copy link

@buxbuxbuxbuxbux buxbuxbuxbuxbux commented Aug 14, 2017

I have upgraded Insights to version 2.4 and had seen the problem (using real azure storage, not an emulator). 2.3 version works fine.

@martijnbrands1978
Copy link

@martijnbrands1978 martijnbrands1978 commented Aug 16, 2017

Hello we had a the same problem. Get always 403. After debugging for days I found that application insights added headers for the outging requests (because we track dependencies) to BLOB storage. Therefore the computed signature is not the same as the one in the. When I compare ApplicationInsights.config from environments where we don't have problems I see that we missed this part

<TelemetryModules> <Add Type="Microsoft.ApplicationInsights.DependencyCollector.DependencyTrackingTelemetryModule, Microsoft.AI.DependencyCollector"> <ExcludeComponentCorrelationHttpHeadersOnDomains> <Add>core.windows.net</Add> <Add>core.chinacloudapi.cn</Add> <Add>core.cloudapi.de</Add> <Add>core.usgovcloudapi.net</Add> <Add>localhost</Add> <Add>127.0.0.1</Add> </ExcludeComponentCorrelationHttpHeadersOnDomains> </Add>
you see core.windows.net is excluded now, after this all worked fine.

@peterjohnsonme
Copy link

@peterjohnsonme peterjohnsonme commented Sep 29, 2017

@martijnbrands1978 Confirmed that fix too. Thanks!

@vbl11987
Copy link

@vbl11987 vbl11987 commented Feb 9, 2018

@martijnbrands1978 Confirmed, that fix the error, I couldn't create or make any write operations on containers or blobs. Thanks!!

@sajints
Copy link

@sajints sajints commented Feb 26, 2018

@martijnbrands1978 , thank you so much. That fixed the error, I was getting 403 exception while calling blob storage :)

@bsiegel bsiegel added the Service Attention label Sep 26, 2018
@praneshas1990
Copy link

@praneshas1990 praneshas1990 commented Aug 28, 2020

@martijnbrands1978 , thanks for the solution, i've used the below to ensure requests to storage account don't get any headers added by app insights

<TelemetryModules> 
<Add Type="Microsoft.ApplicationInsights.DependencyCollector.DependencyTrackingTelemetryModule, Microsoft.AI.DependencyCollector"> 
<ExcludeComponentCorrelationHttpHeadersOnDomains>
<Add>core.windows.net</Add>
</Add>

Other than the headers not being added, is there any other impact to app insights and dependency tracking by doing this fix.
Since i have to go and change each and every applicationinsights.config in all my apps, is there something we can do to implement a fix without this overhead.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Service Attention Storage
Projects
None yet
Development

No branches or pull requests