24
votes

I'm getting this error:

<Error>
<Code>AuthenticationFailed</Code>
<Message>
Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature. RequestId:6c3fc9a8-cdf6-4874-a141-10282b709022 Time:2014-07-30T10:48:43.8634735Z
</Message>
<AuthenticationErrorDetail>
Signature did not match. String to sign used was rwl 2014-07-31T04:48:20Z /acoustie/$root 2014-02-14
</AuthenticationErrorDetail>
</Error>

I get it when I generate a sas (Shared Access Signature) then paste that sas at the end of the container uri into a browser. This is the full address with the generated sas:

https://acoustie.blob.core.windows.net/mark?sv=2014-02-14&sr=c&sig=E6w%2B3B8bAXK8Lhvvr62exec5blSxsA62aSWAg7rmX4g%3D&se=2014-07-30T13%3A30%3A14Z&sp=rwl

I have scoured SO and Google and have tried lots of combinations, as far as I can tell I'm doing everything correctly, I know I'm not, I just can't see it...really hoping someone can help :-\

To be clear, I am generating a sas on a container, not a specific blob and not on the root container. Access on the blob is defined as Public Blob. My end goal is to simply allow writes to the container with the sas, while 'debugging' I have added most permissions to the SharedAccessBlobPolicy.

I have tried adding a \ at the beginning and ending of the container name. No change.

This is the code I use to generate the sas:

    var blobClient = storageAccount.CreateCloudBlobClient();
    //Get a reference to the blob container 
    var container = blobClient.GetContainerReference(containerName);

    // Do not set start time so the sas becomes valid immediately.
    var sasConstraints = new SharedAccessBlobPolicy 
    {
        SharedAccessExpiryTime = DateTime.UtcNow.AddMinutes(30), 
        Permissions = SharedAccessBlobPermissions.Write 
        | SharedAccessBlobPermissions.Read
        | SharedAccessBlobPermissions.List,
    };

    var sasContainerToken = container.GetSharedAccessSignature(sasConstraints);

    //Return the URI string for the container, including the SAS token.
        var sas = string.Format("{0}{1}", container.Uri.AbsoluteUri, sasContainerToken);
        Logger.Debug("SAS: {0}", sas);
        return sas;

It generates a signature, it just doesn't seem to be a valid signature.

I've tried different containers, changing the Access policy, with and without start times, extending the expiry to > 12 hours from now (I'm in a UTC+10 timezone), it doesn't seem to matter what I change it results in the same "signature did not match" error.

I have even tried using an older version of 'WindowsAzure.Storage', so I have now tried 4.2 and 4.1. Even tried the uri in a different browser, really shouldn't make a difference but hey...

Any suggestions are greatly appreciated :-)

3
Are you trying to list blobs using this SAS URL?Gaurav Mantri
I just want to NOT see the AuthenticationFailed error. I think it 'should' show the list of blobs though as I have given it the List permission.wallismark
I am NOT using SAS to access my container. Why I am getting the same error? Just updated the timezone on my device and started to work. The problem is I don't want to depend on timezone. What can I do?perozzo

3 Answers

61
votes

Short Answer:

Add comp=list&restype=container to your SAS URL and you should not get this error.

Long Answer:

Essentially from your SAS URL, Azure Storage Service is not able to identify if the resource you're trying to access is a blob or a container and assumes it's a blob. Since it assumes the resource type is blob, it makes use of $root blob container for SAS calculation (which you can see from your error message). Since SAS was calculated for mark blob container, you get this Signature Does Not Match error. By specifying restype=container you're telling storage service to treat the resource as container. comp=list is required as per REST API specification.

3
votes

Adding to @Gaurav Mantri Answer, in order to double check the permissions, you can also create your OWN SAS token in Azure Portal

enter image description here

From this you can relate this comp=list&restype=container

Resource types you can provide as :

  1. Container
  2. Object
  3. Service

Hope this helps to some one..

0
votes

After spending lot of time on this the actual error is different then exception raised by .net compiler. if you're using meta data fields while uploading blob file into storage then check metadata character's. For example I am adding metadata fields like description, filename and etc.... In description field I have some junk characters and which i found at the run time string text viewer.

my description originally > test� file description , after changing the description "test file description" . It is working fine.

metadata values i have extracted from different sources tats why it got that junk characters . Please remove/amend values of metadata then it will work well.