4

I am calling the Azure REST List Subscription Operation.

On my dev machine I have installed the certificate in to Current User\Personal. I can successfully call the API and get a response back. Response code = 200

On a test box I have installed the same certificate in to Current Use\Personal. I cannot call the API. I get a 403 forbidden. Full error below:

<Error>
    <Code>AuthenticationFailed</Code>
    <Message>The server failed to authenticate the request.
    Verify that the certificate is valid and is associated with this subscription.
    </Message>
</Error>

So I check the certificate, it is valid from earlier today (as it was imported today) and valid to January 2040. So I presume it is valid?

Questions:

  1. The same code/project/service works on my local machine but not on the test box. Why?
  2. The certificate thumbprint is the same, the certificates are the same. The certificate is associated to the Subscription azure account because it works locally! Why?

  3. What else should I check? I know that both the local and the test box service attaches the certificate to the web request (I know this through verbose logging) but at the point of

    HttpWebResponse webResponse = webRequest.GetResponse() as HttpWebResponse;

I receive the 403 forbidden error.

Going out of my mind on this one.

Update:

In the response which I view in Fiddler, the beginning of the response is:

HTTP/1.1 403 Forbidden
Content-Length: 294
Content-Type: application/xml; charset=utf-8
Server: Microsoft-HTTPAPI/2.0
Date: Fri, 27 Sep 2013 02:49:59 GMT

Now I am wondering whether the Date part is the issue. I remember reading that the Date must be within 15 minutes of the request. On the test box the current time is 12:49pm so it seems the date returned is "ahead" by 2 hours. Could this be why? Or is that response just Fiddlers interpretation of a date?

abatishchev
  • 98,240
  • 88
  • 296
  • 433
andrewb
  • 2,995
  • 7
  • 54
  • 95
  • 403 error generally means an issue with the certificate. Per your other thread posted earlier, I recall that you had issues with certs on your test box. One thing you could do is create a brand new certificate on your test box instead of importing from dev box and use that certificate for authenticating API requests. – Gaurav Mantri Sep 27 '13 at 03:31
  • Yes I thought of doing that however the box is locked down and makecert is not installed. – andrewb Sep 27 '13 at 03:37
  • One more thought - create a certificate on some other machine and then import it on the dev box like you did on test box. That way you will be able to recreate test environment (as far as certificate goes) on your dev box. Also, not sure if your test box has IIS installed on it but you could create certificate using IIS as well. – Gaurav Mantri Sep 27 '13 at 03:39
  • I managed to install makecert on the dev box, created a certificate, uploaded it to Azure and ran service. Still get 403 forbidden. – andrewb Sep 27 '13 at 04:03
  • This is totally weird. I even tried by changing the date/time on my computer and everything worked well. Just a side note: have you thought about implementing your solution using publish settings file? – Gaurav Mantri Sep 27 '13 at 07:25
  • I got the same problem. First I thought it is because of an expired certificate (2012) which worked until now so I created a new one but this didn't helped... It just stopped working from one moment to another :( – SeriousM Oct 03 '13 at 09:21

1 Answers1

1

Exporting the certificate from my development machine in PFX format along with the private key and then importing that PFX certificate on the production machine is what solved the authentication/certificate problem in my case.

ueberboss
  • 51
  • 5
  • azure only allows .cer files, how to do this for PFX? – Anuj Pandey Sep 29 '14 at 15:01
  • Yes, for Azure you only upload the .CER file (Azure > Settings > Management Certificates). In my answer I was referring to the setup of my server that communicates with Azure - there I had to install the correct certificate to get it working. – ueberboss Dec 03 '14 at 13:35