You are viewing limited content. For full access, please sign in.

Question

Question

Issues downloading some files from a fileshare blob using HTTP Web Request

Workflow Integrations
Updated January 27
asked on December 11, 2024

As part of an integration I'm working on in Workflow, I query a database table and pull back information about documents including a web based fileshare path. Part of the path is uniform for all documents, and part of it is unique. If I enter the path into a browser, they all work as expected and I can view the pdf documents. 

In the HTTP Web Request, for the Web Service I enter the part of the path that is uniform, and then for the URI part I enter the rest of the path. Some of these documents are downloaded correctly, allowing me to create an entry and attach the document. For the rest, I get a 403 error and in the tokens it shows the httpwebrequest_content as follows (specific path information removed):

<?xml version="1.0" encoding="utf-8"?><Error><Code>AuthenticationFailed</Code><Message>Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.
RequestId:1e8836ef-001e-0017-49f7-4bb7bd000000
Time:2024-12-11T18:06:17.1543467Z</Message><AuthenticationErrorDetail>Signature did not match. String to sign used was r
2024-08-09T14:33:14Z
2025-08-09T14:33:14Z
/blob/<path>/<path>/<path>/17#2463-2024-08-09T14:33:14+00:00.pdf

2018-03-28


</AuthenticationErrorDetail></Error>

 

Any suggestions? The vendor that hosts the software we're trying to integrate with says there are no authentication requirements, and that since it works in a browser there's nothing on their end that would be stopping this.

3 0

Replies

replied on January 23

Googling that error turns up info like https://stackoverflow.com/questions/25038429/azure-shared-access-signature-signature-did-not-match and https://learn.microsoft.com/en-us/answers/questions/956905/signature-did-not-match-error-only-occurs-when-sas . It seems more like some of the access urls are invalid, though Workflow escaping or not escaping some characters could also be a possibility. If you could compare a list of urls that worked with a list that didn't that might shed some light.

1 0
replied on December 11, 2024 Show version history

Hi Michael,

  1. Sanity check that the requests from Workflow are not first routed through an outbound proxy appliance. If so, it's possible the authentication error is coming from the outbound proxy intercepting the request. Make no assumptions here. I've worked on more than a few support cases where the issue turned out to be a "surprise" forward proxy intercepting outbound web requests that the customer's Laserfiche admins had no idea existed.
     
  2. There are a few ways to investigate if there's a forward proxy in play:
    1. Ask the customer's networking/security team if there's a forward/outbound HTTP proxy in use that could potentially apply to traffic coming from the Workflow server.
    2. Inspect the "Server" HTTP response header of the failed calls and check for any values that might indicate they're coming from a web server you don't expect.
    3. Ask the vendor hosting the software to pull their web server logs around the timestamp (+- a few seconds) and confirm if their services sent that HTTP response or not. If there's no record of them sending the response, that's a good (not definitive) indication the request never made it to them, likely because something in the middle intercepted it.
       
  3. If they do have a record of sending the response in their web server log, you should push them on why their service is returning HTTP 403 Forbidden responses with "<Code>AuthenticationFailed</Code><Message>Server failed to authenticate the request." if "there are no authentication requirements".
    1. Bluntly, when there are no authentication requirements, servers do not typically return a HTTP 403 Forbidden with a response body containing "AuthenticationFailed" error codes explicitly stating that they failed to authenticate a request. 
       
  4. The statement "since it works in a browser there's nothing on [the hosting vendor] end that would be stopping this" is not a valid claim whatsoever. Modern browsers are incredibly complex pieces of software that handle many, many things for you behind the scenes. This service may have implicit dependencies on browser behavior whoever you're talking to isn't aware of.
     
  5. You should try to reproduce the issue using a different and standard headless/non-browser HTTP request method, such as Postman, curl, or the PowerShell Invoke-WebRequest (for HTML) or Invoke-RestMethod (for XML/JSON) (note 1, note 2) commands. This completely removes Laserfiche from the equation and replaces it with a widely used, freely available, industry standard method of making headless HTTP requests.
    1. Try this first from the same machine that's running Workflow.
    2. If the issue is reproducible there, next try reproducing it from a client machine on the same network rather than a server.
    3. If the issue is still reproducible there, next try reproducing it from a client machine on an entirely different network.
    4. If the issue is still reproducible there, you have more than enough evidence to open a bug report/support case with the vendor. Send them the Postman/curl/PowerShell/etc. script you used to reproduce the issue along with the test cases and logs with the requests and responses for each, and request they attempt to reproduce the issue on their end.

 

Hopefully that gives you some leads to further troubleshoot the matter.

0 0
replied on January 23

Thanks Sam.

I had the client IT check and they're not filtering or routing through an outbound proxy. And that seems to align with the fact that I can get some of the documents to download via the workflow activity, just not others. 

I'm working to get the vendor to check the logs on the server to report back what they are seeing. I did as you asked testing outside of Workflow via the Powershell Invoke-WebRequest from the client server, and that's working as expected, I'm able to successfully download the file. 

At this point, the only failure I am seeing is when Workflow's HTTP Web Request Activity tried to get some of the files. Any thing else you can think of?

 

0 0
replied on January 24

Thanks Brian. So if there is an issue with 'escaping or not escaping some characters', do you have a suggestion about how I could go about resolving that?  From what I'm seeing, things should already be encoded, and I've tried decoding via the workflow function with no changes. 


This is the tail end of a URL that successfully downloads:

2024.02.01_Glade_Spring_Crossing_Prelim_Plat-sealed_Thu_Feb_1_2024_13-40-39.pdf?st=2024-02-01T19%3A00%3A29Z&se=2025-01-31T19%3A00%3A29Z&sp=r&sv=2018-03-28&sr=b&sig=dwLaqZBLyLFW946hTeUw1rqmaXlpz9Y%2FVsOku9pXBMU%3D

And this is the tail end of a URL that fails: 

18%232596-2024-09-10T12%3A00%3A42%2B00%3A00.pdf?st=2024-09-10T12%3A00%3A42Z&se=2025-09-10T12%3A00%3A42Z&sp=r&sv=2018-03-28&sr=b&sig=8nf45XvWxTAfJTH1TSNcKRz%2BsUMnhLEBhz99cQmuSMQ%3D

Anything else earlier in the URL is identical and would not be sharable as it's client identifiable and would allow anyone to download the documents. I hope this helps identify something as they look pretty similar to me.

 

0 0
replied on January 24

Those 2 urls appear to be generally consistent, in terms of "sig" being a base64-encoded string, url encoded. They both contain 2 of the base64 alphabet that requires url encoding, so that's not a differentiator. If you had more data maybe something would jump out, but there isn't anything obviously wrong that I see.

As you say, these urls are sensitive, but if you can work out how to log them securely as they are generated that would go a long way to determining how/if they are changed.

0 0
replied on January 24 Show version history

You could also use Fiddler to inspect the headers from Workflow. The error message does specifically call out an Authorization header: "Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature."

I will also re-raise reaching back out to this vendor since these are clearly using Shared Access Signatures, a standard authorization method for accessing Azure storage resources. This Stack Overflow post Is an authorization header required by the azure storage shared access signature (SAS) REST API says:

If you're using sas_token in the request url, then you don't need to provide Authorization in the header.

Those request URLs clearly contain the SAS token element, so you shouldn't need a separate Authorization header. However, if one is being sent, that could be causing a conflict. You might want to go double check that you don't have any authentication methods enabled on the Web Service external object in Workflow that might be adding one. 

1 0
replied on January 27 Show version history

Thanks. I have captured 3 separate attempts in Fiddler. 

1- Workflow with a URL that was successful

2- Workflow with a URL that failed

3- Poweshell with the same URL that fails in workflow, but is successful from Powershell

The only difference I'm really seeing is on both successful scenarios, in the GET, right after the full URL that it sends including the unique component for each document, I see:

User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.14393.7426 (or Accept: text/html for the attempt in Workflow)
Host: <serverURLminus the unique component>
Connection: Keep-Alive

HTTP/1.1 200 OK
Content-Length: 79084
Content-Type: application/octet-stream
Content-MD5: yfi/JNFWJMLJF/o0fI0+MA==
Last-Modified: Tue, 10 Sep 2024 12:00:42 GMT
Accept-Ranges: bytes
ETag: "0x8DCD190324E9014"
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: eeb1eaa4-501e-001a-23de-707f69000000
x-ms-version: 2018-03-28
x-ms-creation-time: Tue, 10 Sep 2024 12:00:42 GMT
x-ms-lease-status: unlocked
x-ms-lease-state: available
x-ms-blob-type: BlockBlob
x-ms-server-encrypted: true
Access-Control-Expose-Headers: x-ms-request-id,Server,x-ms-version,Content-Type,Last-Modified,ETag,x-ms-creation-time,Content-MD5,x-ms-lease-status,x-ms-lease-state,x-ms-blob-type,x-ms-server-encrypted,Accept-Ranges,Content-Length,Date,Transfer-Encoding
Access-Control-Allow-Origin: *
Date: Mon, 27 Jan 2025 17:14:38 GMT

 

followed by the rest of the info where it's downloading the document.

 


And on the failed workflow attempt I see:

Accept: text/html
Host: <serverURLminus the unique component>

 

HTTP/1.1 403 Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.
Content-Length: 572
Content-Type: application/xml
Server: Microsoft-HTTPAPI/2.0
x-ms-request-id: e85ca679-401e-00e2-7adc-702397000000
x-ms-error-code: AuthenticationFailed
Access-Control-Expose-Headers: x-ms-request-id,x-ms-error-code,Content-Length,Date,Transfer-Encoding
Access-Control-Allow-Origin: *
Date: Mon, 27 Jan 2025 16:55:27 GMT

<?xml version="1.0" encoding="utf-8"?><Error><Code>AuthenticationFailed</Code><Message>Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.
RequestId:e85ca679-401e-00e2-7adc-702397000000
Time:2025-01-27T16:55:27.6959717Z</Message><AuthenticationErrorDetail>Signature did not match. String to sign used was r
2024-09-10T12:00:42Z
2025-09-10T12:00:42Z
/blob/<fullDocumentURL>

2018-03-28


</AuthenticationErrorDetail></Error>

 

 

 

I am engaging with the vendor on this, but any insight you may have would be helpful as well. 

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...