This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(150.4, 71%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGP%3C/text%3E%3C/svg%3E)
Strangely, we have an issue where we can't download a blob from an azure windows VM but it works perfectly from anywhere else on the internet. I see this:
<Error>
<Code>AuthorizationFailure</Code>
<Message>This request is not authorized to perform this operation. RequestId:0a458489-901e-0003-05f4-a735a6000000 Time:2020-10-21T21:49:08.1475023Z</Message>
</Error>
If I wait until the authorization has expired and refresh I get a different error about the signature expired.
If I download the same blob from a physical PC it works fine. I can't find any kind of IP or region restrictions set on our azure blob storage account or container.
I'm using the new edge browser in all cases.
I checked the timezone and time on the VM and they look correct.
The troubleshooter came back with this:
Between 10/21/2020 9:49:06 PM (UTC) UTC and 10/21/2020 9:56:16 PM (UTC) UTC certain connections to the storage account marsworxtest were blocked. The current firewall rule on the storage account doesn't allow traffic originating from those IP addresses.
Only the following IPs or VNet/subnet are allowed to access storage account:
Rules
No firewall rules are found at time 10/21/2020 10:16:31 PM(UTC), which might have been changed since incident time 10/21/2020 9:49:06 PM(UTC)TimeStamp 10/21/2020 9:49:08 PM
Server RequestId 0a458489-901e-0003-05f4-a735a6000000
Operation Unknown
Status AuthorizationFailure
Error Detail
Client IpAddress <MyIPV6ip here>:52905
User SAS
User Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.80 Safari/537.36 Edg/86.0.622.48
Request URL https://mybloburl/file.msi?sv=2019-07-07&sr=b&sig=XXXXX&sip=<MyIPV4ip here>&st=2020-10-21T21%3A49%3A03Z&se=2020-10-21T21%3A54%3A08Z&sp=r
Server Logs
There may be more client IPs for which requests were blocked. To get the exhaustive list, review the storage analytics log.
The network settings look like this:
Posting here for community visibility, in case others face a similar issue. Since traffic between the storage account and virtual machine were inside the same region it was not utilizing the public IP of the VM. As a workaround you opted to use a VM in another region which worked for you.
@Greg Pringle Apologies for the delay responding here and any inconvenience this issue may have caused. In the error details I notice you specify "Client IpAddress <MyIPV6ip here>:52905". I noticed in the SAS token that you have "sip=<MyIPV4ip here>". Are you able to create a SAS token that doesn't restrict access to a specific IP address to see if that works? SAS tokens do not currently support IPv6 addresses.
Please try this out and let me know if it resolves your issue.
-------------------------------
Please don’t forget to "Accept the answer" and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
@deherman-MSFT Thank you for your response. It's difficult for me to change the token restriction and I don't think we'd want to do it on a permanent basis.
I can try to arrange it on a temporary basis if it will help track down the issue.
I tried disabling IPV6 on the azure windows VM I am testing by unchecking the IPV6 setting on the adapter in the guest VM. I still get the same error message.
The IP address in the URL matches the IP address I see if I go to www.ipchicken.com on a browser from the VM.
When I run the troubleshooter it still shows an IPV6 address in the client IP Address.
Is there some other way I need to disable IPV6 on the VM?
The network adapter in the azure portal shows blank for IPV6 address:
Private IP address (IPv6) : -
Public IP address (IPv6) :-
@Greg Pringle If you could create a short lived SAS token without the IP restriction that might be helpful for narrowing this down. Based on the IPv6 still showing as the client IP, I suspect that is the issue. Please check on the documentation for How to disable IPv6 or its components in Windows. Do you know how the traffic in between the VM and the storage service is being routed? Perhaps it might be helpful to run Wireshark or Fiddler to take a deeper look at what is happening.
@deherman-MSFT I disabled IPV6 through the registry as you suggested.. same error. I also ran it through fiddler but there isn't anything referencing IPV6.. I'm not sure how there can be since IPV6 is disabled on the client. If you see my screenshot at the top you can see I have 'microsoft network routing' selected which has no options so I have no idea what this does internally. Is it somehow translating internal azure traffic into IPV6 ?
I manually created a SAS key without the IP restriction and that works.
@Greg Pringle How is traffic being routed from the VM are you going over public IP or routing through a private vnet? Can you do a nslookup for your storage endpoint to see what it resolves to?
@deherman-MSFT
It just has the default settings azure gave me for a windows VM. I'm familiar with regular IPV4 routes and configurations but I'm not familiar with all the azure networking settings. From the guest OS It looks like it's an internal IP address and there is only a single interface and gateway.
I'm not sure where it goes once it leaves the workstation.
The IP restricted token works from any machine external to azure. I can access the internet from the VM but not the blob.
Attached is what the guest OS is reporting.
Below is from the admin portal.
