You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/cosmos-db/secure-access-to-data.md
+9-1Lines changed: 9 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -38,7 +38,15 @@ Primary, secondary, read only, and read-write master keys can be retrieved and r
38
38
39
39
40
40
41
-
The process of rotating your master key is simple. Navigate to the Azure portal to retrieve your secondary key, then replace your primary key with your secondary key in your application, then rotate the primary key in the Azure portal.
41
+
### Key rotation<aid="key-rotation"></a>
42
+
43
+
The process of rotating your master key is simple.
44
+
45
+
1. Navigate to the Azure portal to retrieve your secondary key.
46
+
2. Replace your primary key with your secondary key in your application. Make sure that all the Cosmos DB clients across all the deployments are promptly restarted and will start using the updated key.
47
+
3. Rotate the primary key in the Azure portal.
48
+
4. Validate the new primary key works against all resource. Key rotation process can take any where from less than a minute to hours depending on the size of the Cosmos DB account.
49
+
5. Replace the secondary key with the new primary key.
42
50
43
51
Copy file name to clipboardExpand all lines: articles/cosmos-db/troubleshoot-dot-net-sdk.md
+25-3Lines changed: 25 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -13,7 +13,7 @@ ms.reviewer: sngun
13
13
This article covers common issues, workarounds, diagnostic steps, and tools when you use the [.NET SDK](sql-api-sdk-dotnet.md) with Azure Cosmos DB SQL API accounts.
14
14
The .NET SDK provides client-side logical representation to access the Azure Cosmos DB SQL API. This article describes tools and approaches to help you if you run into any issues.
15
15
16
-
## Checklist for troubleshooting issues:
16
+
## Checklist for troubleshooting issues
17
17
Consider the following checklist before you move your application to production. Using the checklist will prevent several common issues you might see. You can also quickly diagnose when an issue occurs:
18
18
19
19
* Use the latest [SDK](sql-api-sdk-dotnet-standard.md). Preview SDKs should not be used for production. This will prevent hitting known issues that are already fixed.
@@ -95,12 +95,34 @@ The [query metrics](sql-api-query-metrics.md) will help determine where the quer
95
95
* If the back-end query returns quickly, and spends a large time on the client check the load on the machine. It's likely that there are not enough resource and the SDK is waiting for resources to be available to handle the response.
96
96
* If the back-end query is slow try [optimizing the query](optimize-cost-queries.md) and looking at the current [indexing policy](index-overview.md)
97
97
98
+
### HTTP 401: The MAC signature found in the HTTP request is not the same as the computed signature
99
+
If you received the following 401 error message: "The MAC signature found in the HTTP request is not the same as the computed signature." it can be caused by the following scenarios.
100
+
101
+
1. The key was rotated and did not follow the [best practices](secure-access-to-data.md#key-rotation). This is usually the case. Cosmos DB account key rotation can take anywhere from a few seconds to possibly days depending on the Cosmos DB account size.
102
+
1. 401 MAC signature is seen shortly after a key rotation and eventually stops without any changes.
103
+
2. The key is misconfigured on the application so the key does not match the account.
104
+
1. 401 MAC signature issue will be consistent and happens for all calls
105
+
3. There is a race condition with container creation. An application instance is trying to access the container before container creation is complete. The most common scenario for this if the application is running, and the container is deleted and recreated with the same name while the application is running. The SDK will attempt to use the new container, but the container creation is still in progress so it does not have the keys.
106
+
1. 401 MAC signature issue is seen shortly after a container creation, and only occur until the container creation is completed.
107
+
108
+
### HTTP Error 400. The size of the request headers is too long.
109
+
The size of the header has grown to large and is exceeding the maximum allowed size. It's always recommended to use the latest SDK. Make sure to use at least version [3.x](https://github.com/Azure/azure-cosmos-dotnet-v3/blob/master/changelog.md) or [2.x](https://github.com/Azure/azure-cosmos-dotnet-v2/blob/master/changelog.md), which adds header size tracing to the exception message.
110
+
111
+
Causes:
112
+
1. The session token has grown too large. The session token grows as the number of partitions increase in the container.
113
+
2. The continuation token has grown to large. Different queries will have different continuation token sizes.
114
+
3. It's caused by a combination of the session token and continuation token.
115
+
116
+
Solution:
117
+
1. Follow the [performance tips](performance-tips.md) and convert the application to Direct + TCP connection mode. Direct + TCP does not have the header size restriction like HTTP does which avoids this issue.
118
+
2. If the session token is the cause, then a temporary mitigation is to restart the application. Restarting the application instance will reset the session token. If the exceptions stop after the restart, then it confirms the session token is the cause. It will eventually grow back to the size that will cause the exception.
119
+
3. If the application cannot be converted to Direct + TCP and the session token is the cause, then mitigation can be done by changing the client [consistency level](consistency-levels.md). The session token is only used for session consistency which is the default for Cosmos DB. Any other consistency level will not use the session token.
120
+
4. If the application cannot be converted to Direct + TCP and the continuation token is the cause, then try setting the ResponseContinuationTokenLimitInKb option. The option can be found in the FeedOptions for v2 or the QueryRequestOptions in v3.
121
+
98
122
<!--Anchors-->
99
123
[Common issues and workarounds]: #common-issues-workarounds
0 commit comments