Share via

SAS token mismatch on Azure DPS with Azure IoT Edge

LALANNE Jeremie - CELLENZA 26 Reputation points
2025-01-03T14:33:14.6666667+00:00

Hi,

I have a recent issue with DPS registration requests, giving me error " {"Message":"{"errorCode":401002,"message":"The specified SAS token has an invalid signature. It does not match either the primary or secondary key.","trackingId":"E377D48366F943E189A5FEA744D89D95-G2:-TimeStamp:2025-01-03T14:15:03.453324531Z","timestampUtc":"2025-01-03T14:15:03.453324531Z","info":null}","ExceptionMessage":""}".

I have two different IoT Hub in different environments, and my devices are running IoT Edge with group enrollments symmetric keys, but Azure Identidy daemon seems to only be able to register in one of the DPS environments. For this other one, I have that error. I already tried to regenerate the keys. It has been working for many months now, but all of a sudden it doesn't work anymore in that environment. And I can't remember changing anything in the setup.

Azure IoT Edge
Azure IoT Edge
An Azure service that is used to deploy cloud workloads to run on internet of things (IoT) edge devices via standard containers.
585 questions
Azure IoT Hub
Azure IoT Hub
An Azure service that enables bidirectional communication between internet of things (IoT) devices and applications.
1,232 questions
0 comments
Accepted answer
  1. AshokPeddakotla-MSFT 35,926 Reputation points
    2025-01-23T09:00:08.36+00:00

    LALANNE Jeremie - CELLENZA I'm glad that your issue is resolved and thank you for posting your solution so that others experiencing the same thing can easily reference this!

    Since the Microsoft Q&A community has a policy that the question author cannot accept their own answer, they can only accept answers by others, I'll repost your solution in case you'd like to Accept the answer.

    Error Message:

    I have a recent issue with DPS registration requests, giving me error " {"Message":"{"errorCode":401002,"message":"The specified SAS token has an invalid signature. It does not match either the primary or secondary key.","trackingId":"E377D48366F943E189A5FEA744D89D95-G2:-TimeStamp:2025-01-03T14:15:03.453324531Z","timestampUtc":"2025-01-03T14:15:03.453324531Z","info":null}","ExceptionMessage":""}".

    I have two different IoT Hub in different environments, and my devices are running IoT Edge with group enrollments symmetric keys, but Azure Identidy daemon seems to only be able to register in one of the DPS environments. For this other one, I have that error. I already tried to regenerate the keys. It has been working for many months now, but all of a sudden it doesn't work anymore in that environment. And I can't remember changing anything in the setup.

    Solution:

    I figured out (with the help of Azure support) that the issue came from the DPS linked iot hub not being synced correctly with that iot hub. When the DPS is linked to iot hub, the link is not synchronous. When the link is created, it takes the connection string of the iot hub with the specified shared access policy, and that's it. At some point we renewed the primary key of the iot hub, and broke that link.

    The solution was to remove and readd the dps link to the iot hub. The other solutin with Azure CLI is az iot dps update --name MyExampleDps --set properties.iotHubs[0].connectionString="HostName=MyExampleHub-2.azure-devices.net;SharedAccessKeyName=iothubowner;SharedAccessKey=NewTokenValue" (Take from documentation https://learn.microsoft.com/en-us/azure/iot-dps/how-to-manage-linked-iot-hubs?tabs=cli#update-keys-for-linked-iot-hubs)

    If you have any other questions, please let me know. Thank you again for your time and patience throughout this issue.

    1 person found this answer helpful.
    0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sander van de Velde | MVP 34,461 Reputation points MVP
    2025-01-03T23:03:58.2366667+00:00

    Hello @LALANNE Jeremie - CELLENZA ,

    welcome to this moderated Azure community forum.

    You say you have multiple DPS environments (as in '... one of the DPS environments')?

    Your Azure IoT Edge runtime can only connect to one Device Provisioning service where the right IoT Hub will be selected/linked to your device.

    Please check this blog post with background information about the group enrollments using symmetric keys.

    There you find details on how to generate the right unique registration ID for each device.

    If the response helped, do "Accept Answer". If it doesn't work, please let us know the progress. All community members with similar issues will benefit by doing so. Your contribution is highly appreciated.

  2. LALANNE Jeremie - CELLENZA 26 Reputation points
    2025-01-08T12:56:48.82+00:00

    To whoever comes by that same issue, I figured out (with the help of Azure support) that the issue came from the DPS linked iot hub not being synced correctly with that iot hub. When the DPS is linked to iot hub, the link is not synchronous. When the link is created, it takes the connection string of the iot hub with the specified shared access policy, and that's it. At some point we renewed the primary key of the iot hub, and broke that link.

    The solution was to remove and readd the dps link to the iot hub.
    The other solutin with Azure CLI is az iot dps update --name MyExampleDps --set properties.iotHubs[0].connectionString="HostName=MyExampleHub-2.azure-devices.net;SharedAccessKeyName=iothubowner;SharedAccessKey=NewTokenValue"
    (Take from documentation https://learn.microsoft.com/en-us/azure/iot-dps/how-to-manage-linked-iot-hubs?tabs=cli#update-keys-for-linked-iot-hubs)

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.