microsoft
`Server failed to authenticate the request.` when connecting to Azure storage
I'm hitting the following error when attempting to use my identity to acces a task hub:
[2025-07-31T09:30:12.080Z] Executing 'DfmGetOrchestrationsFunction' (Reason='This function was programmatically called via the host APIs.', Id=986c8755-ea41-436c-913e-485f86fa7639)
[2025-07-31T09:30:12.276Z] DFM failed
[2025-07-31T09:30:12.276Z] DurableTask.AzureStorage: Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature. Microsoft.WindowsAzure.Storage: Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.
[2025-07-31T09:30:12.277Z] Executed 'DfmGetOrchestrationsFunction' (Succeeded, Id=986c8755-ea41-436c-913e-485f86fa7639, Duration=197ms)
With the following setting:
"durableFunctionsMonitor.taskHubsDiscoveryMode": "Do not use Storage keys"
As a test, on the same environment, i installed the Azure Storage Explorer (standalone) https://azure.microsoft.com/en-us/products/storage/storage-explorer. Accessing the storage account (and the content of tables/blobs/queues) with identity works just fine there.
In the same environment with a personal account (pointing to a personal tenant), using the monitor via VS Code, works just fine.
I think Microsoft.WindowsAzure.Storage (which is marked as legacy btw) isn't supported in my work tenant.
Any way around this? Or to debug further?
I think Microsoft.WindowsAzure.Storage (which is marked as legacy btw) isn't supported in my work tenant.
I don't think it's possible to anyhow blocklist Microsoft.WindowsAzure.Storage. If you check with your Azure tenant admins, and they confirm they did - that would be an interesting learning.
Are you getting this error when running DfMon locally? Or in Azure? Or both?
Are you getting this error when running DfMon locally? Or in Azure? Or both?
Only in context of the VS Code extension.
I don't think it's possible to anyhow blocklist Microsoft.WindowsAzure.Storage
This tenant has high standards on Conditional Access and authentication mechanisms in Entra ID, so maybe that makes old libraries just not fit for the job.
If you still suspect Microsoft.WindowsAzure.Storage to be the culprit, then the only thing I can suggest is to try running both DfMon InProc (which does use Microsoft.WindowsAzure.Storage) and DfMon Isolated (which does not) locally, with the following local.settings.json:
{
"IsEncrypted": false,
"Values": {
"DFM_NONCE": "i_sure_know_what_i_am_doing",
"AzureWebJobsSecretStorageType": "files",
"AzureWebJobsStorage__accountName": "my-storage-account-name",
"FUNCTIONS_WORKER_RUNTIME": "(dotnet|dotnet-isolated)"
},
"Host": {
"LocalHttpPort": 7072,
"CORS": "http://127.0.0.1:7072,http://localhost:3000,http://127.0.0.1:3000",
"CORSCredentials": true
}
}
, and navigate directly to your Task Hub page, e.g. http://localhost:7072/TestHubName.
The above would be the direct equivalent of how vscode extension runs the DfMon backend.
If both fail (potentially with different error messages) - the problem is most likely with your identity. E.g. conditional access blocks it, or e.g. you might be logged into vscode with one account and into Azure CLI with another one - and the latter takes precedence. Or e.g. you're logged into a wrong tenant in vscode.
If DfMon Isolated works - we'll need to look deeper into Microsoft.WindowsAzure.Storage hypothesis.
Using the dotnetisolated project, i'm getting the following logs at this line: https://github.com/microsoft/DurableFunctionsMonitor/blob/592f6a2d48361054d43a6a47949a0a02bf79b351/durablefunctionsmonitor.dotnetisolated.core/Functions/Orchestrations.cs#L74
[2025-09-05T12:36:30.077Z] Executed 'Functions.DfmAboutFunction' (Succeeded, Id=5cb60b00-1a18-4658-8405-7ee7830d5861, Duration=518ms)
[2025-09-05T12:36:30.087Z] Executed HTTP request: {[2025-09-05T12:36:30.262Z] Executing HTTP request: {
[2025-09-05T12:36:30.443Z] "requestId": "9fe9ab97-60f4-47a1-85bd-a61afae9ffb3",
[2025-09-05T12:36:30.448Z] "method": "GET",
[2025-09-05T12:36:30.444Z] "requestId": "5f83766a-c46e-4e8b-a648-efa229534207",
[2025-09-05T12:36:30.451Z] "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36 Edg/139.0.0.0",
[2025-09-05T12:36:30.457Z] "uri": "/manifest.json"
[2025-09-05T12:36:30.455Z] "identities": "",
[2025-09-05T12:36:30.458Z] }
[2025-09-05T12:36:30.459Z] "status": "200",
[2025-09-05T12:36:30.461Z] "duration": "547"[2025-09-05T12:36:30.461Z] Executing 'Functions.HttpRoot' (Reason='This function was programmatically called via the host APIs.', Id=87ff25b9-39c0-4d35-921f-79e177100989)
[2025-09-05T12:36:30.465Z] }
[2025-09-05T12:36:30.516Z] Executed 'Functions.HttpRoot' (Succeeded, Id=87ff25b9-39c0-4d35-921f-79e177100989, Duration=54ms)
[2025-09-05T12:36:30.518Z] Executed HTTP request: {
[2025-09-05T12:36:30.520Z] "requestId": "9fe9ab97-60f4-47a1-85bd-a61afae9ffb3",
[2025-09-05T12:36:30.521Z] "identities": "",
[2025-09-05T12:36:30.523Z] "status": "200",
[2025-09-05T12:36:30.525Z] "duration": "256"
[2025-09-05T12:36:30.527Z] }
[2025-09-05T12:36:37.307Z] Attempting to retrieve authentication token for resource 'https://storage.azure.com/'. HubName: TestHubName. AppName: . SlotName: . ExtensionVersion: 2.13.3.
[2025-09-05T12:36:43.863Z] General error: Failed to create the task hub: DurableTask.AzureStorage.Storage.DurableTaskStorageException: Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.
[2025-09-05T12:36:43.864Z] ---> Microsoft.WindowsAzure.Storage.StorageException: Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.
[2025-09-05T12:36:43.865Z] at Microsoft.WindowsAzure.Storage.Core.Executor.Executor.ExecuteAsyncInternal[T](RESTCommand`1 cmd, IRetryPolicy policy, OperationContext operationContext, CancellationToken token)
[2025-09-05T12:36:43.866Z] at Microsoft.WindowsAzure.Storage.Blob.CloudBlobContainer.CreateIfNotExistsAsync(BlobContainerPublicAccessType accessType, BlobRequestOptions options, OperationContext operationContext, CancellationToken cancellationToken)
[2025-09-05T12:36:43.867Z] at DurableTask.AzureStorage.TimeoutHandler.ExecuteWithTimeout[T](String operationName, String account, AzureStorageOrchestrationServiceSettings settings, Func`3 operation, AzureStorageOrchestrationServiceStats stats, String clientRequestId) in /_/src/DurableTask.AzureStorage/TimeoutHandler.cs:line 133
[2025-09-05T12:36:43.868Z] at DurableTask.AzureStorage.Storage.AzureStorageClient.MakeStorageRequest[T](Func`3 storageRequest, String accountName, String operationName, String clientRequestId, Boolean force) in /_/src/DurableTask.AzureStorage/Storage/AzureStorageClient.cs:line 137
[2025-09-05T12:36:43.869Z] Request Information
[2025-09-05T12:36:43.870Z] RequestID:1f500dcb-201e-0070-0361-1e74b6000000
[2025-09-05T12:36:43.872Z] RequestDate:Fri, 05 Sep 2025 14:36:43 GMT
[2025-09-05T12:36:43.873Z] StatusMessage:Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.
[2025-09-05T12:36:43.874Z] ErrorCode:AuthenticationFailed
[2025-09-05T12:36:43.876Z] ErrorMessage:Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.
RequestId:1f500dcb-201e-0070-0361-1e74b6000000
Time:2025-09-05T12:36:43.8141128Z
[2025-09-05T12:36:43.877Z]
[2025-09-05T12:36:43.878Z] --- End of inner exception stack trace ---
[2025-09-05T12:36:43.878Z] --- End of inner exception stack trace ---
[2025-09-05T12:36:43.879Z] at DurableTask.AzureStorage.Storage.AzureStorageClient.MakeStorageRequest[T](Func`3 storageRequest, String accountName, String operationName, String clientRequestId, Boolean force) in /_/src/DurableTask.AzureStorage/Storage/AzureStorageClient.cs:line 141
[2025-09-05T12:36:43.880Z] at DurableTask.AzureStorage.Storage.BlobContainer.CreateIfNotExistsAsync() in /_/src/DurableTask.AzureStorage/Storage/BlobContainer.cs:line 48
[2025-09-05T12:36:43.881Z] at DurableTask.AzureStorage.Partitioning.AppLeaseManager.CreateContainerIfNotExistsAsync() in /_/src/DurableTask.AzureStorage/Partitioning/AppLeaseManager.cs:line 207
[2025-09-05T12:36:43.882Z] at DurableTask.AzureStorage.AzureStorageOrchestrationService.GetTaskHubCreatorTask() in /_/src/DurableTask.AzureStorage/AzureStorageOrchestrationService.cs:line 368
[2025-09-05T12:36:43.883Z] at DurableTask.AzureStorage.AzureStorageOrchestrationService.EnsureTaskHubAsync() in /_/src/DurableTask.AzureStorage/AzureStorageOrchestrationService.cs:line 349
It seems to call Microsoft.WindowsAzure.Storage library as well.
Also, it seems to call TestHubName but i'm using another request url like: http://localhost:7072/funcsomename:
[2025-09-05T12:36:37.307Z] Attempting to retrieve authentication token for resource 'https://storage.azure.com/'. HubName: TestHubName. AppName: . SlotName: . ExtensionVersion: 2.13.3.
I added openIdIssuer and WEBSITE_AUTH_CLIENT_ID to make it authenticate locally, in addition to your settings.json.
I'm afraid I fail to interpret this.
That ExtensionMethodsForOrchestrations.ExpandStatus() method above that you mentioned - it does uses Microsoft.WindowsAzure.Storage for retrieving extra instance fields, but even if it fails - those failures are logged, but not shown as errors. So how does it all look like in the browser? Do you see your instances? Do you see instance details?
That method has no chance to produce the error you're reporting - General error: Failed to create the task hub. Such an error might occur only if you tried to navigate to a non-existent Task Hub. So are you sure funcsomename hub exists?
Do you see your instances? Do you see instance details?
Nope, they won't show at all, even though there are some.
So are you sure funcsomename hub exists?
Yeah, i opened that exact one in a DfMon that is hosted in an Azure Function (in Azure).