Access is denied Exception

Question

Hello Friends,

I had issued a production certificate for MSHV and had lots of registrations and record retrievals using the same between my application and healthvault accounts(per person). But recently I check to store new record in it using the same certificate but got this exception. I tried to retrieve existing records but occurs the same exception. The same certificate was working before(for registration and retrieval) and now why it is giving this error?

Attaching  the stack trace:

Thanks in advance :)

Answer 1

Additional to that, I tried to retrieve the health records locally in development environment using the same certificate(same as on server) and Session ID but surprisingly, it works!(Bad news)

I searched related to it and found solution like "You might not have permissions to those methods" which you can set as All under offline rules tab for read/write/update in Application Configuration Center.

But the certificate copy is working locally and not on server..

Still one more issue..

I made permissions as All in ACC and wait for 30 min and tried to insert record via application to HealthVault but encountered the same error. (Locally Data retrieval is working but insertion is not using the same certificate.)

The stack trace for Insertion web service exception :

Microsoft.Health.HealthServiceAccessDeniedException: Access is denied. at Microsoft.Health.EasyWebRequest.WaitForCompletion() at Microsoft.Health.EasyWebRequest.Fetch(Uri url) at Microsoft.Health.EasyWebRequest.Fetch(Uri url, IEasyWebResponseHandler customHandler) at Microsoft.Health.HealthServiceRequest.ExecuteInternal() at Microsoft.Health.Web.OfflineWebApplicationConnection.ExecuteRequestWithRetry(HealthServiceRequest request) at Microsoft.Health.HealthServiceRequest.Execute() at Microsoft.Health.HealthRecordAccessor.NewItems(IList`1 items) at Microsoft.Health.HealthRecordAccessor.NewItem(HealthRecordItem item)

 

Answer 2

Hi Rhoit,

 

First I would like to state that you should not be using the same certificate in production as you are using in PPE and if you are, you should change your production certificate immediatly and submit a support case, at https://support.microsoft.com/oas/default.aspx?prid=13388&ln=en-us&st=1, to have the new pulic key uploaded for your application.  You can also check what public keys have already been associated with your production application by clicking the "View app config in production" link for the specific app id in the Application Configuration Center.

Second, you state "But the certificate copy is woking locally and not on the server".  I am not sure what you mean by this since all communication with the HealthVault platform is through the HealthVault service, either for PPE or Production.

Can you check your certificates and make sure that you are using the one that HealthVault is expecting for the correct environment and supply additional information so that we can try and properly assist your with your issue?

 

Thank you.

-Suzanne

 

 

Answer 3

Thanks Suzanne,

Firstly, I'm not using the certificate for PPE anymore.. I have production certificate and as I said I had lots of health records retrievals in past.

Yesterday itself first time, I found the HealthServiceAccessDenied exception via data retrieval web service link on my server (fyi I'm talking only about production scenario with production cert). To cross check, I ran local copy of same service with same certificate. And it was able to fetch health records which was unexpected. Then I Publish this website on my local IIS and ran .asmx and again it was giving output. Then I used this published copy and used on server IIS and again the same exception. I'm pretty sure this is not certificate problem or any change in ACC and this must be IIS problem but why this exception is under Microsoft.Health.*..?? Please let me know if you know about it.

And  :) Please consider one more scenario..,

I'm changing the permission from Read to All in ACC as previously I was not going to insert records in MSHV but now I want it to be in my app(Insert/Update/Delete). For that, I did this Read to All and waited for more than 30 min(as recommended). But this new changes is not taking place as I check the same in ACC View app config in production and I found it Read as it was. And at the same time under offline rules tab, I can see the Permissions as All. HOW???

If you want, give me any id, I'll send you certificate information.

Answer 4

Hi Rohit,

 

It appears that you are dealing with two seperate issues, one related to a new Access Denied error for your production web server and one related to updating permissions.  In regards to updating the permissions, you can only update permissions in PPE and they then need to be pushed to production by HealthVault support which will include a new Go Live review process, although the specifics of the review vary but what has been changed in an application's configuration.  If you are having with the permissions in PPE it may also make more sense to either submit a support request or continue on a different forum thread.

 

Regarding the Access Denied issues, there are three common scenarios when this will occur, having a different certificate with the application and the HealthVault platform, not having the appropriate permissions for a data type that you are using, and not having proper IP Prefixes defined within the HealthVault system, which can only be done by HealthVault support.  A less common way is not having the proper ASP.Net permissions defined for your certificate.  You have tested the certificate and permissions by using other servers, and assumedly verified that the valid certificate is installed on your production server as well.  You can check to see if any networking changes have been made that may cause a change (or requierment) in IP prefixes as well as the permissions for the certificate.

 

Thank you.

-Suzanne

Answer 5

Thanks a lot Suzanne,

As you said, although the specifics of the review vary but what has been changed in an application's configuration;

If I ask for HealthVault support to push new ACC changes to production(Just that All instead of only Read), dont they need a review on application that is working on DML operations(All) for PPE with health records same as that I had whole application review for Read records? Actually I was asking because my app is not yet ready with this DML feature..

Regarding the Access Denied issues, yeah this might be some network problem might be within IIS..

But as you are saying "networking changes have been made that may cause a change (or requierment) in IP prefixes as well as the permissions for the certificate"

How network changes affect permissions for the certificate as long as ActionURL at ACC is same?
Because this exception is under Health DLL and I'm pretty sure is because of wrong network settings.

Thanks again..

Answer 6

What is your application-id?  We can look up why your requests are being denied.

Answer 7

Thanks Robmay,

63d9c67f-b5b1-4ac8-af79-b4a57a0c9806

This is my application id..

Just FYI, local IIS working fine but server IIS giving me error..

Certificate for production is same, application copy is same, data type for which I'm fetching is same..

Answer 8

The xml to authenticate your application contains a signature.  The signed data contains a timestamp indicating when it was signed.  That timestamp is 19 hours behind current time.  We do not accept timestamps older than 12 hours.

 

Is the time on your machine off?

 

--Rob

Answer 9

Hello Robmay,

I thought it was too close.. but bad luck.. server is set at right time..

This is machine level error or in IIS.. that is for sure and this problem gives me error only for those web services which deals with HealthVault ie. by using certificate.. Must be some kind of interesting problem :)

Answer 10

Hi Rohit,

I did the math wrong.  Your server time is 24 hours behind.  I can state definitively that we are receiving requests stating the signing time as 24 hours in the past.  HealthVault will reject those authentication requests for being stale.

--Rob

Answer 11

Hello Robmay,

Awesome bro, I was like in hell from last week.. Yeah, that was the problem.

Thank you so much..