Azure Data Lake integration with Business Central, API returns authorization error on signature string

Question

Hello,

I'm trying to integrate Business Central (SaaS) with Azure Data Lake.

The Azure service uses Shared Access Key authorization.

I am building my authorization string according to the API documentation:

I decode my access key from base 64;

I build my signature string (with all appropriate ) exactly like the one that's coming back from the API with the error;

I encrypt the signature string with an HMACSHA256 algorithm (using Cryptography Management) with the decoded access key;

I encode the whole encrypted signature to base64 and set it in an authorization header on my http request message:

HttpRequestMessage.SetHeader('Authorization', StrSubstNo('SharedKey %1:%2', AzureDataLakeSetup."Storage Account Name", SignedString));

I am fairly certain that the string I use to generate the authorization signature is correct, yet I keep getting the same error:

Error message:

AuthenticationFailedServer failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.

RequestId:3f881326-501e-0041-656a-b6df29000000

Time:2024-06-04T10:35:37.9596818ZThe MAC signature found in the HTTP request 'ODM5QTNFNzQ0REIyMUQ4MzhCQzE0RjVFODdBNzBDODA0QThFOUFCMzdBQjI4RjQxQTAxWzk0RURBMjExODg2Mg==' is not the same as any computed signature. Server used following string to sign: 'GET

x-ms-date:Tue, 04 Jun 2024 13:35:37 GMT

x-ms-version:2020-04-08

/<>/

comp:stats

restype:service'.

Answer

Hello Stefan Alexandru,

Greetings! Welcome to Microsoft Q&A Platform.

I understand that you are receiving "AuthenticationFailedServer failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature." error when you try to use Put Range API.

Please go through the steps mentioned here that discusses this error and troubleshooting steps for the same- https://techcommunity.microsoft.com/t5/azure-paas-blog/the-mac-signature-found-in-the-http-request-xxxx-is-not-the-same/ba-p/3293726

Every secure request to an Azure Storage account must be authorized. By default, requests can be authorized with either Microsoft Entra credentials, or by using the account access key for Shared Key authorization. Of these two types of authorization, Microsoft Entra ID provides superior security and ease of use over Shared Key, and is recommended by Microsoft. To require clients to use Microsoft Entra ID to authorize requests, you can disallow requests to the storage account that are authorized with Shared Key.refer - https://video2.skills-academy.com/en-us/azure/storage/common/shared-key-authorization-prevent?tabs=portal#detect-the-type-of-authorization-used-by-client-applications

When you disallow Shared Key authorization for a storage account, Azure Storage rejects all subsequent requests to that account that are authorized with the account access keys. Only secured requests that are authorized with Microsoft Entra ID will succeed. For more information about using Microsoft Entra ID, see Authorize access to data in Azure Storage.

Couple of additional work arounds mentioned here - https://stackoverflow.com/questions/24492790/azurestorage-blob-server-failed-to-authenticate-the-request-make-sure-the-value.

Hope this answer helps ! Please let us know if you have any further queries. I’m happy to assist you further.

Please "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Share via

Azure Data Lake integration with Business Central, API returns authorization error on signature string

1 answer