none
Java Azure Storage SDK - "The MAC signature found in the HTTP request 'XXX' is not the same as any computed signature"

    Question

  • I received an error for around 1 out of 3 download requests from Azure Storage, from the same storage container.  

    The error from the response is :

    {Error response received. HttpStatusCode= 403, HttpStatusMessage= Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature., ErrorCode= AuthenticationFailed, ExtendedErrorInformation= {ErrorMessage= Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature..RequestId:67fcd4f6-0001-006a-2867-18c7ba000000.Time:2016-09-27T02:31:28.6130624Z, AdditionalDetails= { AuthenticationErrorDetail= The MAC signature found in the HTTP request 'XXXXXXX=' is not the same as any computed signature. Server used following string to sign: 'GET.......Tue, 27 Sep 2016 02:28:31 GMT.."XXXXXXX"...x-ms-client-request-id:9a91014f-6780-440c-8758-c0012de78837.x-ms-date:Tue, 27 Sep 2016 02:31:27 GMT.x-ms-version:2015-12-11./....'.}}}

    I am using Azure jar azure-storage v4.4.0.  Any idea why?  Many thanks.


    • Edited by Alice16 Thursday, September 29, 2016 12:52 AM
    Tuesday, September 27, 2016 2:41 AM

Answers

  • "The proxy may add headers to the request (such as a conditional header, If-Not-Modified) if it has a caching element. This extra header is not signed as part of the regular signature process and so the request is rejected. This is as design, so requests cannot be modified in flight (you can see how this could be abused if we allowed random headers to be added by a third party). There’s nothing that Storage can or will do to solve the problem if your proxy is modifying your request. You’ll need to figure out why that is happening and stop it."

    - Answer received through email

    • Marked as answer by Alice16 Thursday, October 6, 2016 7:10 AM
    Thursday, October 6, 2016 7:10 AM

All replies

  • Hi,

    Thank you for posting here!

    Kindly check the below link for the error “HTTP 403 Server failed to authenticate the request” When Using Shared Access Signatures

    https://blogs.msdn.microsoft.com/kwill/2013/08/27/http-403-server-failed-to-authenticate-the-request-when-using-shared-access-signatures/

    There has been some discussion on this topic already in the following thread:

    https://social.msdn.microsoft.com/Forums/en-US/20e7df84-99e2-4fd8-a6cd-8cf77b6780f5/the-mac-signature-found-in-the-http-request-is-not-the-same-as-any-computed-signature-server?forum=windowsazuredata

     

    If it doesn’t help, please let us know, we are happy to assist you more.

    Regards,

    Vikranth S.

     

    Kindly click "Mark as Answer" on the post that helps you, this can be beneficial to other community members reading the thread. And Vote as Helpful.

     

    Tuesday, September 27, 2016 10:24 AM
    Moderator
  • I am not using SAS, I am access the storage container using the token I get from the Azure Portal. 

    This is the code I used for download the blob (in Java) :

    connectionString = "DefaultEndpointsProtocol=" + storageProtocol + ";AccountName=" + storageAccountName + ";AccountKey=" + storageAccountKey;
    storageAccount = CloudStorageAccount.parse(connectionString);
    CloudBlobClient blobClient = storageAccount.createCloudBlobClient();
    CloudBlobContainer container = blobClient.getContainerReference(containerName);
    CloudBlockBlob blob = container.getBlockBlobReference(filename);
    ByteArrayOutputStream os = new ByteArrayOutputStream();
    blob.download(os);


    As you can see, I didn't call any method to generate a signature (the link you provided above), so the signature must be generated by the Azure SDK library for Java?
    Tuesday, September 27, 2016 11:41 PM
  • This can sometimes be caused by using a proxy -- could that be possible? Otherwise, can you try giving me anther recent repro with the above error and also include your account name that was used to make the request? Feel free to email `ascl [at] Microsoft [dot] com` instead of using the forums if you don't want to post your account name.

    Thanks!!
    Thursday, September 29, 2016 5:50 PM
  • Many thanks, yes I am running the test at work so it is behind a proxy, I am really interested to know if there is a way I can get around this.  I have emailed you the error details including the Azure Storage account name.
    Friday, September 30, 2016 3:57 AM
  • "The proxy may add headers to the request (such as a conditional header, If-Not-Modified) if it has a caching element. This extra header is not signed as part of the regular signature process and so the request is rejected. This is as design, so requests cannot be modified in flight (you can see how this could be abused if we allowed random headers to be added by a third party). There’s nothing that Storage can or will do to solve the problem if your proxy is modifying your request. You’ll need to figure out why that is happening and stop it."

    - Answer received through email

    • Marked as answer by Alice16 Thursday, October 6, 2016 7:10 AM
    Thursday, October 6, 2016 7:10 AM