Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,183 questions
Azure Storage User Delegation SAS Token signature does not match
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(297.6, 4%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EN%3C/text%3E%3C/svg%3E)
Nais
0
Reputation points
I'm trying to connect my server (Salesforce) to Azure.
I have set up a connected app (app registration in Entra).
I'm trying to get my delegation key and generate a SAS token for my user(s).
In Salesforce, I'm calling the Get User Delegation Key endpoint and receiving a key.
I pass the user delegation key into my SAS token builder class.
Then I generate my SAS token and sign it with the value from the user delegation key.
Apex (the backend language used on the Salesforce platform) can't import any libraries like Java can, so I'm writing it out instead of using the SDKs.
I've gone through the docs line-by-line and I just don't see where my code is deviating from what I'm being instructed to do. I've tried so many permutations and read through so many other solutions and I don't see where mine is differing, so I'm here to beg for help, sorry!
So, when I call the backend method that issues a token, everything works and it does issue a token (just hardcoded stuff for now in the URL format for easy testing). When I use the URL, Azure claims that the signature does not match. Here's my code class:
private class TokenGenerator {
private UserDelegationKey userDelegationKey;
private String accountName = 'teststorageaccount1g43gw';
private String containerName = 'test-partners-1';
private String signedVersion = '2022-11-02';
private String signedResource = 'c';
private String signedPermissions = 'racwdl';
private String signedStart = DateTime.now().formatGmt('yyyy-MM-dd\'T\'HH:mm:ss\'Z\'');
private String signedExpiry = DateTime.now().addHours(1).formatGmt('yyyy-MM-dd\'T\'HH:mm:ss\'Z\'');
private String signedProtocol = 'https';
private String signature;
private String token;
private Exception error;
private Boolean execute() {
List<String> parameters = new List<String>();
parameters.add('sp=' + this.signedPermissions);
parameters.add('st=' + this.signedStart);
parameters.add('se=' + this.signedExpiry);
parameters.add('skoid=' + this.userDelegationKey.signedKeyObjectId);
parameters.add('sktid=' + this.userDelegationKey.signedKeyTenantId);
parameters.add('skt=' + this.userDelegationKey.signedKeyStart);
parameters.add('ske=' + this.userDelegationKey.signedKeyExpiry);
parameters.add('sks=' + this.userDelegationKey.signedKeyService);
parameters.add('skv=' + this.userDelegationKey.signedKeyVersion);
parameters.add('spr=' + this.signedProtocol);
parameters.add('sv=' + this.signedVersion);
parameters.add('sr=' + this.signedResource);
String stringToSign = String.join(new List<String>{
this.signedPermissions,
this.signedStart,
this.signedExpiry,
'/blob/' + this.accountName + '/' + this.containerName,
this.userDelegationKey.signedKeyObjectId,
this.userDelegationKey.signedKeyTenantId,
this.userDelegationKey.signedKeyStart,
this.userDelegationKey.signedKeyExpiry ,
this.userDelegationKey.signedKeyService,
this.userDelegationKey.signedKeyVersion,
/* signedAuthorizedUserObjectId */ '',
/* signedUnauthorizedUserObjectId */ '',
/* signedCorrelationId */ '',
/* signedIP */ '',
this.signedProtocol,
this.signedVersion,
this.signedResource,
/* signedSnapshotTime */ '',
/* signedEncryptionScope */ '',
/* rscc */ '',
/* rscd */ '',
/* rsce */ '',
/* rscl */ '',
/* rsct */ ''
}, '\n');
System.debug(stringToSign);
String signature = EncodingUtil.base64Encode(Crypto.generateMac('HMACSHA256', Blob.valueOf(EncodingUtil.urlDecode(stringToSign, 'UTF-8')), this.userDelegationKey.signedKeyValue));
parameters.add('sig=' + EncodingUtil.urlEncode(signature, 'UTF-8'));
this.token = 'https://' + this.accountName + '.blob.core.windows.net/' + this.containerName + '?' + String.join(parameters, '&');
this.token += '&restype=container&comp=list'; // TODO: Remove this bit and maybe the URL part
System.debug(this.token);
return true;
}
}
Of note is the stringToSign variable, I've copied the structure directly from the docs. It's the latest one since I'm using a version past the last update to that structure. The docs don't specify whether to add the new lines between values that I'm not providing (I've filled out all values marked as 'required' but not the others). Due to that, also tried it with and without those new lines, with and without a trailing new line too just in case etc. When it claims that the signature doesn't match, it shows the signature it produced. I have tried to copy that and just replace the dates and redo it and it still fails. I saw in a few threads that it may erroneously produce that error if you're not looking at a valid resource, so I am using the full URL format for testing with a proper REST request there.
I'm really not sure what to do at this point. Here's an example of my request and the response:
stringToSign:
racwdl
2024-09-27T15:11:10Z
2024-09-27T16:11:10Z
/blob/teststorageaccountXXXXXXXXXXXXXXXXXX/test-partners-1
49f2f4d0-07c3-4575XXXXXXXXXXXXXXXXXX
2c04bea5-efb6-4f90XXXXXXXXXXXXXXXXXX
2024-09-27T15:11:10Z
2024-09-27T16:11:10Z
b
2022-11-02
(+4 new lines)
https
2022-11-02
c
Error 403
<Error>
<Code>AuthenticationFailed</Code>
<Message>Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature. RequestId:c9c2c9b3-601e-00e6-25ef-10555c000000 Time:2024-09-27T15:12:34.6514107Z</Message>
<AuthenticationErrorDetail>Signature did not match. String to sign used was racwdl 2024-09-27T15:11:10Z 2024-09-27T16:11:10Z /blob/teststorageaccountXXXXXXXXXXXXXXXXXX/test-partners-1 49f2f4d0-07c3-4575XXXXXXXXXXXXXXXXXX 2c04bea5-efb6-4f90XXXXXXXXXXXXXXXXXX 2024-09-27T15:11:10Z 2024-09-27T16:11:10Z b 2022-11-02 https 2022-11-02 c </AuthenticationErrorDetail>
</Error>
(And just to reiterate, I have tried with new lines, truncating repeated new lines, using spaces instead like the one it shows me, etc)
Thank you!
{count} votes
-
Nais 0 Reputation points
2024-09-27T15:23:17.2233333+00:00 I forgot to add, I have given the app, Blob owner, contributor and delegator, just tried everything I could think of lol
-
Sumarigo-MSFT 46,286 Reputation points Microsoft Employee2024-09-29T12:52:41.51+00:00 @Nais Apoloigies for the delay reponse I am check on your thread.
-
Nais 0 Reputation points
2024-09-30T10:43:53.7866667+00:00 No problem! Look forward to seeing if you have any ideas 😊
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(57.599999999999994, 31%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVK%3C/text%3E%3C/svg%3E)
Vinod Kumar Reddy Chilupuri 485 Reputation points Microsoft Vendor2024-10-01T00:54:08.48+00:00 Hi Nais,
Welcome to Microsoft Q&A, thanks for posting your query.I understand that you’re encountering an authentication issue with Azure Storage services and the error message you are getting "authenticationfailed, server failed to authenticate the request. make sure the value of authorization header is formed correctly including the signature" typically occurs when there is issue in authenticating the user request.
Ensure that the user delegation key obtained form the salesforce is valid and not expired. You can also check when the key will be expired using SIGNEDEXPIRY property.
Ensure that the string-to-sign used to generate the SAS token follows the correct format. The permissions string must match the permissions you want to give access. Verify that these permissions are correctly set and in the correct order. Make sure the SAS token and the Azure server timings are synchronized. https://zcusa.951200.xyz/en-us/azure/storage/common/storage-sas-overview.
Check if there are any network connectivity issues. Make sure that there are no network connectivity issues that may be preventing the request from being authenticated. Verify System Time (Make sure that the system time on the machine generating the SAS token is accurate. A significant time discrepancy could lead to authentication failures).
The other part of the error is AuthenticationError tells that "Signature did not match".
Make sure the string-to-sign is correctly formatted with the appropriate values for permissions, services, resource types, and other fields. Once check the order of the resource type of the SAS token whether it is formatted and given correctly in the SAS token. Check the values in the string-to-sign that match the parameters you are passing to generate the SAS token.
Reference: https://zcusa.951200.xyz/en-us/rest/api/storageservices/create-user-delegation-sas
Similar SO thread for reference :
https://zcusa.951200.xyz/en-us/answers/questions/1855229/signature-did-not-match-error
https://stackoverflow.com/questions/25038429/azure-shared-access-signature-signature-did-not-match
Please let us know if you have any further queries. I’m happy to assist you further.
-
Vinod Kumar Reddy Chilupuri 485 Reputation points Microsoft Vendor
2024-10-08T06:16:57.37+00:00 Hi Nais,
We hope the above answer helped if yes please Upvote else, please let us know if you have any further queries. I’m happy to assist you further. -
Vinod Kumar Reddy Chilupuri 485 Reputation points Microsoft Vendor
2024-10-09T01:08:59.4833333+00:00 Hi Nais,
Just checking in to see if the above answer helped. If this answers your query, please don’t forget to "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.
Sign in to comment
Sign in to answer