Signature did not match error

Question

error :

"<Error>

<Code>AuthenticationFailed</Code>

<Message>Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature. RequestId:02c9ecee-c01e-0022-7b39-e77e0b000000 Time:2024-08-05T13:11:41.8517117Z</Message>

<AuthenticationErrorDetail>Signature did not match. String to sign used was skydoctrial1 rwdlaciytfx bf sco 2024-08-05T06:11:10Z 2024-08-05T23:11:10Z https 2022-11-02 </AuthenticationErrorDetail>

</Error>" I tried all the stringtosign combinations, able to generate URL but when I run the url on browser it gives me this error.

This is the code :

function generateSasToken(accountName, accountKey, containerName, blobName, permissions, expiryTime, startTime) {

    log.debug("generateSasToken called");

    const expiryTimeIsoString = expiryTime.toISOString().split('.')[0] + 'Z';

    log.debug("expiryTimeIsoString", expiryTimeIsoString);

    const startTimeIsoString = startTime.toISOString().split('.')[0] + 'Z';

    log.debug("startTimeIsoString", startTimeIsoString);

     const canonicalizedResource1 = `/${accountName}/${containerName}/${blobName}`;

     const stringToSign = [

        permissions,              // sp

        startTimeIsoString,       // st

        expiryTimeIsoString,      // se

        canonicalizedResource1,    // sr

        '',                       // skoid

        '',                       // sktid

        '',                       // skt

        '',                       // ske

        '',                       // sks

        '',                       // skv

        '2022-11-02',             // sv

        '',                       // sr

        '',                       // sip

        'https',                  // spr

        '',                       // rscc

        '',                       // rscd

        '',                       // rsce

        '',                       // rscl

        '',                       // rsct

    ].join('\n');

    log.debug("stringto sign", stringToSign);

    const keyBytes = CryptoJS.enc.Base64.parse(accountKey);

    const hash = CryptoJS.HmacSHA256(stringToSign, keyBytes);

    const signature = CryptoJS.enc.Base64.stringify(hash);

    log.debug("sign", signature)

    var sasToken = [

        'sv=2022-11-02' ,

        'ss=bf',

        'srt=sco',

        'sp=' + permissions,

        'se=' + expiryTimeIsoString,

        'st=' + startTimeIsoString,

        'spr=https',

        'sig=' + encodeURIComponent(signature)

    ].join('&');

     const sasUrl = 'https://' + accountName + '.blob.core.windows.net/' + containerName + '/' +             blobName + '?' + sasToken;

     log.debug('SAS URL', sasUrl);

    return sasUrl;

}

Answer 1

Jayasri, I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this!

Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer. Accepted answers show up at the top, resulting in improved discoverability for others.

Issue: Customer unable to access the Azure storage account and facing authentication failure issues.

Error Message:

"Authentication Failed

Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature".

 

Solution: After modifying the string-to-sign format as below, the issue got mitigated.

const stringToSign = accountName + "\n" +  
        permissions + "\n" +  
        'bf' + "\n" +  
        'sco' + "\n" +  
        startTimeIsoString + "\n" +  
        expiryTimeIsoString + "\n" +  
        '' + "\n" +  //signedIP
        'https' + "\n" +  
        '2022-11-02' + "\n" +
        '' + "\n"; //signedEncryptionScope

Answer 2

Hello Jayasri,

Greetings! Welcome to Microsoft Q&A Platform.

 

The Error message tells that "Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature". This is due to there is an issue with the Shared Access Signature (SAS) token is being generated or used. It tells that the signature part of the SAS token does not match the expected value.

 

Ensure that the string-to-sign used to generate the SAS token follows the correct format. The permissions string (rwdlaciytfx) must match the permissions you want to give access. Verify that these permissions are correctly set and in the correct order. Make sure the SAS token and the Azure server timings are synchronized. https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview.

 

Similar post: https://learn.microsoft.com/en-us/answers/questions/1821066/azure-blob-storage-not-being-able-to-authenticate

 

The other part of the error is AuthenticationError tells that "Signature did not match. String to sign used was skydoctrial1 rwdlaciytfx bf sco"

Make sure the string-to-sign is correctly formatted with the appropriate values for permissions, services, resource types, and other fields. Once check the order of the resource type of the SAS token whether it is formatted and given correctly in the SAS token. Check the values in the string-to-sign that match the parameters you are passing to generate the SAS token. https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview.

 

A similar issue is discussed in the Answer section of the following SO thread: https://stackoverflow.com/questions/25038429/azure-shared-access-signature-signature-did-not-match

reference: https://learn.microsoft.com/en-us/rest/api/storageservices/create-service-sas,

 

Hope this answer helps! please let us know if you have any further queries. I’m happy to assist you further. 

Please "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.