question

crickard avatar image
0 Votes"
crickard asked crickard commented

Connection refused: not authorized

I have been trying to develop some simple code to connect to Azure IoT Hub via MQTT. I have been periodically successful in connecting but after a period of time, I begin to receive a "connection refused: not authorized" error.

In order to rule out issues with my code, I have tried to use MQTT Explorer to create the connection. I have been successful with the following settings but run into the same "connection refused: not authorized" error. The settings are:

Encryption (tls) on: true
Protocol: mqtt
Host: {hub-name}.azure-devices.net. where {hub-name} is copied and pasted right out of Azure Portal
Port: 8883
Username: {hub-name}.azure-devices.net/{device-name} where {hub-name} and {device-name} are both copied and pasted right out of Azure Portal
Password: SharedAccessSignature sr={hub-name}.azure-devices.net%2Fdevices%2F{device-name}&sig={generated signature here}&se={se number here} where I have generated the SAS token string using both Azure IoT explorer and the az iot hub generate-sas-token command

When generating the SAS token I've used a long enough expiration to get me through a day's worth of testing but I have also tried shorter periods like 5 and 60 minutes.

It isn't clear to me why this error occurs or how to prevent its reoccurrence. Is there anything else I can check? Any suggestions on what to do differently?

azure-iot-hub
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

AshokPeddakotla-MSFT avatar image
0 Votes"
AshokPeddakotla-MSFT answered crickard commented

@ChrisRickard-4531 Welcome to Microsoft Q&A forum!

I have been trying to develop some simple code to connect to Azure IoT Hub via MQTT. I have been periodically successful in connecting but after a period of time, I begin to receive a "connection refused: not authorized" error.

Could you please confirm which SDK are you using?

The MQTT port (8883) is blocked in many corporate and educational networking environments. If you can't open port 8883 in your firewall, we recommend using MQTT over Web Sockets. MQTT over Web Sockets communicates over port 443, which is almost always open in networking environments. To learn how to specify the MQTT and MQTT over Web Sockets protocols when using the Azure IoT SDKs, see Using the device SDKs.

What is the Default keep-alive timeout you have set?

By default, the token lifespan is 60 minutes for all SDKs; however, it can be changed by developers in some of the SDKs. The following table summarizes the token lifespan, token renewal, and token renewal behavior for each of the SDKs: Please see Default keep-alive timeout and MQTT device disconnect behavior with Azure IoT SDKs for more details.

204615-image.png

This error can also occurs because, for MQTT, some SDKs rely on IoT Hub to issue the disconnect when the SAS token expires to know when to refresh it. So,

  • The SAS token expires

  • IoT Hub notices the expiration, and disconnects the device with 401003 IoTHubUnauthorized

  • The device completes the disconnection with 404104 DeviceConnectionClosedRemotely

  • The IoT SDK generates a new SAS token

  • The device reconnects with IoT Hub successfully

  • Or, IoT Hub couldn't authenticate the auth header, rule, or key. This could be due to any of the reasons cited in the symptoms.

To resolve this error, no action is needed if using IoT SDK for connection using the device connection string. IoT SDK regenerates the new token to reconnect on SAS token expiration.

The default token lifespan is 60 minutes across SDKs; however, for some SDKs the token lifespan and the token renewal threshold is configurable. Additionally, the errors generated when a device disconnects and reconnects on token renewal differs for each SDK. To learn more, and for information about how to determine which SDK your device is using in logs, see MQTT device disconnect behavior with Azure IoT SDKs and 401003 IoTHubUnauthorized for troubleshooting guide.

Do let us know if you have any further queries.


If an answer is helpful, please click on 130616-image.png or upvote 130671-image.png which might help other community members reading this thread.


image.png (16.3 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you. I appreciate the additional information about SAS tokens. In my original post, I mentioned using MQTT Explorer to separate issues with the code vs issues with the connection. I am not seeing anything in the logs. How can I determine why a connection isn't working?

Could you please confirm which SDK are you using?

NodeJS

The MQTT port (8883) is blocked in many corporate and educational networking environments.

This should not be an issue. Please note that in my original post, I mentioned that I am able to connect until the connection craps out. If 8883 was blocked, I should not ever be able to connect, correct?

What is the Default keep-alive timeout you have set?

Please note that in my original post, I mentioned that when generating the SAS token I've used a long enough expiration to get me through a day's [8 hours] worth of testing but I have also tried shorter periods like 5 and 60 minutes.

0 Votes 0 ·