[horde] ActiveSync not authenticating - 401 Unauthorized

OnkelM onkelm08 at gmail.com
Tue Jun 9 08:59:24 UTC 2015 

2015-06-08 22:34 GMT+02:00 Michael J Rubinsky <mrubinsk at horde.org>:

>
> Quoting OnkelM <onkelm08 at gmail.com>:
>
>  Am 08.06.2015 9:45 nachm. schrieb "Michael J Rubinsky" <
>> mrubinsk at horde.org>:
>>
>>>
>>>
>>> Quoting OnkelM <onkelm08 at gmail.com>:
>>>
>>>  2015-06-08 21:19 GMT+02:00 Michael J Rubinsky <mrubinsk at horde.org>:
>>>>
>>>>
>>>>> Quoting OnkelM <onkelm08 at gmail.com>:
>>>>>
>>>>>  Hi Michael,
>>>>>
>>>>>>
>>>>>>
>>>>>> here is my config:
>>>>>>
>>>>>>  $conf['auth']['params']['app'] = 'imp';
>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> $conf['activesync']['auth']['type'] = 'basic';
>>>>>>
>>>>>> $conf['activesync']['autodiscovery'] = 'full';
>>>>>>
>>>>>>
>>>>> Does your auth backend require full email addresses as usernames?
>>>>>
>>>>>
>>>>>
>>>>>  $conf['activesync']['enabled'] = true;
>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> i am not using auth hooks, only the default settings
>>>>>>
>>>>>> so... where should is start to track it down? how?
>>>>>>
>>>>>>
>>>>>>
>>>>>> Gruß
>>>>>>
>>>>>> 2015-06-08 20:39 GMT+02:00 Michael J Rubinsky <mrubinsk at horde.org>:
>>>>>>
>>>>>>
>>>>>>  Quoting OnkelM <onkelm08 at gmail.com>:
>>>>>>>
>>>>>>>  Hello,
>>>>>>>
>>>>>>>
>>>>>>>> how is this happening? I made the following test request:
>>>>>>>>
>>>>>>>> POST https://horde-host/Microsoft-Server-ActiveSync
>>>>>>>>
>>>>>>>>  ?DeviceType=WP8&Cmd=Provision&DeviceId=12345678901
>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> HEADERS
>>>>>>>>>
>>>>>>>>> *Accept:* */*
>>>>>>>>>
>>>>>>>>> *Accept-Encoding:* gzip, deflate
>>>>>>>>>
>>>>>>>>> *Accept-Language:* de
>>>>>>>>>
>>>>>>>>> *Authorization:* Basic YWRtaW5Ab25rZWxtLmNvbTpCZDMwMDQ4NCM5NjQ0MA==
>>>>>>>>>
>>>>>>>>> *Cache-Control:* no-cache
>>>>>>>>>
>>>>>>>>> *Connection:* Keep-Alive
>>>>>>>>>
>>>>>>>>> *Content-Length:* 600
>>>>>>>>>
>>>>>>>>> *Content-Type:* application/vnd.ms-sync.wbxml
>>>>>>>>>
>>>>>>>>> *Host:* horde-host
>>>>>>>>>
>>>>>>>>> *Ms-Asprotocolversion:* 14.0
>>>>>>>>>
>>>>>>>>> *User-Agent:* runscope/0.1,ASOM
>>>>>>>>>
>>>>>>>>> *X-Ms-Policykey:* 0
>>>>>>>>> QUERYSTRING
>>>>>>>>>
>>>>>>>>> *Cmd:* Provision
>>>>>>>>>
>>>>>>>>> *DeviceId:* 12345678901
>>>>>>>>>
>>>>>>>>> *DeviceType:* WP8
>>>>>>>>> BODY
>>>>>>>>>
>>>>>>>>> <?xml version="1.0" encoding="utf-8" ?><Provision
>>>>>>>>>   xmlns="Provision:">
>>>>>>>>>   <DeviceInformation
>>>>>>>>>     xmlns="Settings:">
>>>>>>>>>     <Set>
>>>>>>>>>       <Model>RM-821_eu_euro2_248</Model>
>>>>>>>>>       <IMEI>imeiimeiimeiimeiimei</IMEI>
>>>>>>>>>       <FriendlyName>Lumia 920</FriendlyName>
>>>>>>>>>       <OS>Windows Phone 8.0.9903</OS>
>>>>>>>>>       <OSLanguage>German</OSLanguage>
>>>>>>>>>       <PhoneNumber>+0152xxxxxxxx</PhoneNumber>
>>>>>>>>>       <UserAgent>MSFT-WP/8.0.9903</UserAgent>
>>>>>>>>>       <EnableOutboundSMS>0</EnableOutboundSMS>
>>>>>>>>>     </Set>
>>>>>>>>>   </DeviceInformation>
>>>>>>>>>   <Policies>
>>>>>>>>>     <Policy>
>>>>>>>>>       <PolicyType>MS-EAS-Provisioning-WBXML</PolicyType>
>>>>>>>>>     </Policy>
>>>>>>>>>   </Policies></Provision>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>  And Horde is answering this:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>  401 Unauthorized
>>>>>>>>
>>>>>>>>
>>>>>>>>   HEADERS
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>  *Allow:* OPTIONS,POST
>>>>>>>>>
>>>>>>>>> *Cache-Control:* private, max-age=10800, pre-check=10800
>>>>>>>>>
>>>>>>>>> *Connection:* Keep-Alive
>>>>>>>>>
>>>>>>>>> *Content-Encoding:* gzip
>>>>>>>>>
>>>>>>>>> *Content-Type:* text/html
>>>>>>>>>
>>>>>>>>> *Date:* Mon, 08 Jun 2015 18:17:07 GMT
>>>>>>>>>
>>>>>>>>> *Expires:* Thu, 19 Nov 1981 08:52:00 GMT
>>>>>>>>>
>>>>>>>>> *Keep-Alive:* timeout=2, max=1000
>>>>>>>>>
>>>>>>>>> *Last-Modified:* Fri, 05 Jun 2015 15:28:26 GMT
>>>>>>>>>
>>>>>>>>> *Ms-Asprotocolcommands:*
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>> Sync,SendMail,SmartForward,SmartReply,GetAttachment,GetHierarchy,CreateCollection,DeleteCollection,MoveCollection,FolderSync,FolderCreate,FolderDelete,FolderUpdate,MoveItems,GetItemEstimate,MeetingResponse,Search,Settings,Ping,ItemOperations,Provision,ResolveRecipients,ValidateCert
>>
>>>
>>>>>>>>> *Ms-Asprotocolversions:* 2.5,12.0,12.1,14.0,14.1
>>>>>>>>>
>>>>>>>>> *Ms-Server-Activesync:* 14.2
>>>>>>>>>
>>>>>>>>> *Public:* OPTIONS,POST
>>>>>>>>>
>>>>>>>>> *Server:* Apache
>>>>>>>>>
>>>>>>>>> *Set-Cookie:* PHPSESSID=8f3379819e428da3e5e28cf0b60c872c; path=/
>>>>>>>>>
>>>>>>>>> *Transfer-Encoding:* chunked
>>>>>>>>>
>>>>>>>>> *Vary:* Accept-Encoding
>>>>>>>>>
>>>>>>>>> *Www-Authenticate:* Basic realm="Horde ActiveSync"
>>>>>>>>> BODY
>>>>>>>>>
>>>>>>>>> (empty)
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>  Why is Horde not accepting my login ?
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>  Could be a number of reasons: Misconfigured ActiveSync settings
>>>>>>> (configured to use full email address as username but only sending
>>>>>>> username, or the reverse), misconfigured auth hooks, x509 cert
>>>>>>> misuse/configuration etc...
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> mike
>>>>>>> The Horde Project
>>>>>>> http://www.horde.org
>>>>>>> https://www.facebook.com/hordeproject
>>>>>>> https://www.twitter.com/hordeproject
>>>>>>>
>>>>>>> --
>>>>>>> Horde mailing list
>>>>>>> Frequently Asked Questions: http://horde.org/faq/
>>>>>>> To unsubscribe, mail: horde-unsubscribe at lists.horde.org
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>
>>>>> --
>>>>> mike
>>>>> The Horde Project
>>>>> http://www.horde.org
>>>>> https://www.facebook.com/hordeproject
>>>>> https://www.twitter.com/hordeproject
>>>>>
>>>>> --
>>>>> Horde mailing list
>>>>> Frequently Asked Questions: http://horde.org/faq/
>>>>> To unsubscribe, mail: horde-unsubscribe at lists.horde.org
>>>>>
>>>>>
>>>>>
>>>> Does your auth backend require full email addresses as usernames?
>>>>
>>>>
>>>> do you mean the horde setting or the imap login?
>>>> horde is configured to use full email address with @ and host,
>>>> tried to login to my imap server with the full email address as username
>>>> and password and it worked
>>>> i can login to webmail in horde with the full email address as the login
>>>> name and the password.
>>>>
>>>
>>>
>>> ...and this is what you have explicitly typed into the ActiveSync client?
>>>
>>>
>>> --
>>> mike
>>> The Horde Project
>>> http://www.horde.org
>>> https://www.facebook.com/hordeproject
>>> https://www.twitter.com/hordeproject
>>>
>>> --
>>> Horde mailing list
>>> Frequently Asked Questions: http://horde.org/faq/
>>> To unsubscribe, mail: horde-unsubscribe at lists.horde.org
>>>
>>>
>> Sure i did it. I made sure i typed the username and password correctly
>> letter by letter.
>>
>
> Then you are going to have to find out why Horde isn't receiving the
> correct password. Other possibilities are that the user in question doesn't
> have permissions to use ActiveSync - you can check this in the
> administrative permissions interface. Check the Horde log for any hints as
> well.
>
>
>
> --
> mike
> The Horde Project
> http://www.horde.org
> https://www.facebook.com/hordeproject
> https://www.twitter.com/hordeproject
>
> --
> Horde mailing list
> Frequently Asked Questions: http://horde.org/faq/
> To unsubscribe, mail: horde-unsubscribe at lists.horde.org
>
>

Found the problem. It was indeed the mod_rewrite Prefix "REDIRECT_".

Have to change the file*
/framework/ActiveSync/lib/Horde/ActiveSync/Credentials.php*
*from:*

>         } elseif (!empty($serverVars['HTTP_AUTHORIZATION']) ||
> !empty($serverVars['Authorization'])) {
>             // Some clients use the non-standard 'Authorization' header.
>             $authorization = !empty($serverVars['HTTP_AUTHORIZATION'])
>                 ? $serverVars['HTTP_AUTHORIZATION']


*to:*

>         } elseif (!empty($serverVars['*REDIRECT_*HTTP_AUTHORIZATION']) ||
> !empty($serverVars['Authorization'])) {
>             // Some clients use the non-standard 'Authorization' header.
>             $authorization = !empty($serverVars['*REDIRECT_*
> HTTP_AUTHORIZATION'])
>                 ? $serverVars['*REDIRECT_*HTTP_AUTHORIZATION']


maybe for outlook we also need to change the file
/framework/ActiveSync/lib/Horde/ActiveSync/Request/Autodiscover.php as well
*from:*

>          if (empty($values) && !empty($server['HTTP_AUTHORIZATION'])) {
>             $hash = base64_decode(str_replace('Basic ', '',
> $server['HTTP_AUTHORIZATION']));


*to:*

>         if (empty($values) && !empty($server['*REDIRECT_*HTTP_AUTHORIZATION']))
> {
>             $hash = base64_decode(str_replace('Basic ', '', $server['
> *REDIRECT_*HTTP_AUTHORIZATION']));




can someone add this to the git branch?
for example like this: ?

>         *$http_auth = !empty($server['HTTP_AUTHORIZATION']) ?
> $server['HTTP_AUTHORIZATION'] :
> !empty($server['REDIRECT_HTTP_AUTHORIZATION']) ?
> $server['REDIRECT_HTTP_AUTHORIZATION] : "";*
>         if (empty($values) && !empty(*$http_auth*)) {
>             $hash = base64_decode(str_replace('Basic ', '', *$http_auth*);


and the other file like this: ?

       * $http_auth = !empty($serverVars['HTTP_AUTHORIZATION']) ?
> $serverVars['HTTP_AUTHORIZATION'] :
> !empty($serverVars['REDIRECT_HTTP_AUTHORIZATION']) ?
> $serverVars['REDIRECT_HTTP_AUTHORIZATION'] : "";*

        if (!empty($serverVars['PHP_AUTH_PW'])) {
>             $user = $serverVars['PHP_AUTH_USER'];
>             $pass = $serverVars['PHP_AUTH_PW'];
>         } elseif (!empty(*$http_auth*) ||
> !empty($serverVars['Authorization'])) {
>             // Some clients use the non-standard 'Authorization' header.
>             $authorization = !empty(*$http_auth*)
>                 ? *$http_auth*
>                 : $serverVars['Authorization'];

More information about the horde mailing list