Azure-sdk-for-net: 403 Forbidden when connecting to Azure Storage with Application Insights Web Tracking HTTP Module
Category
- [ ] Question
- [ ] Typo
- [x] Bug
- [ ] Additional article idea
Expected or Desired Behavior
Connection to Azure Storage should be possible when Application Insights Web Tracking HTTP Module is enabled.
Observed Behavior
Connecting to Azure Storage with Application Insights Web Tracking HTTP Module enabled ends with 403 Forbidden error: "The MAC signature found in the HTTP request is not the same as any computed signature".
Steps to Reproduce
- Create ASP.NET MVC 5 project.
- Install/update
[email protected]and[email protected]from NuGet. - Verify that following entry for ApplicationInsightsWebTracking is present in web.config (configuration/system.webServer/modules):
<remove name="ApplicationInsightsWebTracking" />
<add name="ApplicationInsightsWebTracking" type="Microsoft.ApplicationInsights.Web.ApplicationInsightsHttpModule, Microsoft.AI.Web" preCondition="managedHandler" />
Add following connection string to web.config (configuration/connectionStrings):
<add name="StorageConnectionString" connectionString="UseDevelopmentStorage=true" />Try to create new Azure BLOB Storage container using following code:
CloudStorageAccount storageAccount = CloudStorageAccount.Parse(
ConfigurationManager.ConnectionStrings["StorageConnectionString"].ConnectionString);
CloudBlobClient blobClient = storageAccount.CreateCloudBlobClient();
CloudBlobContainer container = blobClient.GetContainerReference("mycontainer");
container.CreateIfNotExists();
- Exception is thrown, because Application Insights Web Tracking HTTP Module modifies request's HTTP Headers after signature generation.
Version
ASP.NET MVC 5
Microsoft.ApplicationInsights.[email protected]
WindowsAzure.[email protected]
Azure Storage [email protected]
phawrylak
All 10 comments
@blueww Hey Wei, would you mind taking a look at this issue?
cormacpayne
on 14 Jul 2017
To clarify, the problem wasn't related to real Azure Storage, but to Azure Storage Emulator. It was fixed in newest Microsoft.ApplicationInsights.Web NuGet package by adding localhost and 127.0.0.1 to ExcludeComponentCorrelationHttpHeadersOnDomains in ApplicationInsights.config template. Therefore I close this issue.
phawrylak
on 16 Jul 2017
@phawrylak @cormacpayne not sure how a workaround is being considered a fix. Can resolving this remain an issue and can we expect it to be resolved in future versions? I would hope so.
benjamin-goldman
on 2 Aug 2017
@phawrylak I don't see how this is just a problem with the emulator. I'm running into this problem when connecting to actual Azure Storage, as I described on StackOverflow here
timosnel
on 10 Aug 2017
I have upgraded Insights to version 2.4 and had seen the problem (using real azure storage, not an emulator). 2.3 version works fine.
buxbuxbuxbuxbux
on 14 Aug 2017
Hello we had a the same problem. Get always 403. After debugging for days I found that application insights added headers for the outging requests (because we track dependencies) to BLOB storage. Therefore the computed signature is not the same as the one in the. When I compare ApplicationInsights.config from environments where we don't have problems I see that we missed this part
<TelemetryModules>
<Add Type="Microsoft.ApplicationInsights.DependencyCollector.DependencyTrackingTelemetryModule, Microsoft.AI.DependencyCollector">
<ExcludeComponentCorrelationHttpHeadersOnDomains>
<Add>core.windows.net</Add>
<Add>core.chinacloudapi.cn</Add>
<Add>core.cloudapi.de</Add>
<Add>core.usgovcloudapi.net</Add>
<Add>localhost</Add>
<Add>127.0.0.1</Add>
</ExcludeComponentCorrelationHttpHeadersOnDomains>
</Add>
you see core.windows.net is excluded now, after this all worked fine.
martijnbrands1978
on 16 Aug 2017
@martijnbrands1978 Confirmed that fix too. Thanks!
peterjohnsonme
on 29 Sep 2017
@martijnbrands1978 Confirmed, that fix the error, I couldn't create or make any write operations on containers or blobs. Thanks!!
vbl11987
on 9 Feb 2018
@martijnbrands1978 , thank you so much. That fixed the error, I was getting 403 exception while calling blob storage :)
sajints
on 26 Feb 2018
@martijnbrands1978 , thanks for the solution, i've used the below to ensure requests to storage account don't get any headers added by app insights
<TelemetryModules>
<Add Type="Microsoft.ApplicationInsights.DependencyCollector.DependencyTrackingTelemetryModule, Microsoft.AI.DependencyCollector">
<ExcludeComponentCorrelationHttpHeadersOnDomains>
<Add>core.windows.net</Add>
</Add>
Other than the headers not being added, is there any other impact to app insights and dependency tracking by doing this fix.
Since i have to go and change each and every applicationinsights.config in all my apps, is there something we can do to implement a fix without this overhead.
praneshas1990
on 28 Aug 2020
Related issues
deenairn
·
3Comments
tomgallard
·
3Comments
AliGuemues
·
3Comments
cannehag
·
4Comments
sakher-sawan
·
4Comments
Most helpful comment
Hello we had a the same problem. Get always 403. After debugging for days I found that application insights added headers for the outging requests (because we track dependencies) to BLOB storage. Therefore the computed signature is not the same as the one in the. When I compare ApplicationInsights.config from environments where we don't have problems I see that we missed this part
<TelemetryModules> <Add Type="Microsoft.ApplicationInsights.DependencyCollector.DependencyTrackingTelemetryModule, Microsoft.AI.DependencyCollector"> <ExcludeComponentCorrelationHttpHeadersOnDomains> <Add>core.windows.net</Add> <Add>core.chinacloudapi.cn</Add> <Add>core.cloudapi.de</Add> <Add>core.usgovcloudapi.net</Add> <Add>localhost</Add> <Add>127.0.0.1</Add> </ExcludeComponentCorrelationHttpHeadersOnDomains> </Add>you see core.windows.net is excluded now, after this all worked fine.