[horde] ActiveSync not authenticating - 401 Unauthorized
Michael J Rubinsky
mrubinsk at horde.org
Tue Jun 9 16:40:08 UTC 2015
Quoting OnkelM <onkelm08 at gmail.com>:
> 2015-06-08 22:34 GMT+02:00 Michael J Rubinsky <mrubinsk at horde.org>:
>
>>
>> Quoting OnkelM <onkelm08 at gmail.com>:
>>
>> Am 08.06.2015 9:45 nachm. schrieb "Michael J Rubinsky" <
>>> mrubinsk at horde.org>:
>>>
>>>>
>>>>
>>>> Quoting OnkelM <onkelm08 at gmail.com>:
>>>>
>>>> 2015-06-08 21:19 GMT+02:00 Michael J Rubinsky <mrubinsk at horde.org>:
>>>>>
>>>>>
>>>>>> Quoting OnkelM <onkelm08 at gmail.com>:
>>>>>>
>>>>>> Hi Michael,
>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> here is my config:
>>>>>>>
>>>>>>> $conf['auth']['params']['app'] = 'imp';
>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> $conf['activesync']['auth']['type'] = 'basic';
>>>>>>>
>>>>>>> $conf['activesync']['autodiscovery'] = 'full';
>>>>>>>
>>>>>>>
>>>>>> Does your auth backend require full email addresses as usernames?
>>>>>>
>>>>>>
>>>>>>
>>>>>> $conf['activesync']['enabled'] = true;
>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> i am not using auth hooks, only the default settings
>>>>>>>
>>>>>>> so... where should is start to track it down? how?
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Gruß
>>>>>>>
>>>>>>> 2015-06-08 20:39 GMT+02:00 Michael J Rubinsky <mrubinsk at horde.org>:
>>>>>>>
>>>>>>>
>>>>>>> Quoting OnkelM <onkelm08 at gmail.com>:
>>>>>>>>
>>>>>>>> Hello,
>>>>>>>>
>>>>>>>>
>>>>>>>>> how is this happening? I made the following test request:
>>>>>>>>>
>>>>>>>>> POST https://horde-host/Microsoft-Server-ActiveSync
>>>>>>>>>
>>>>>>>>> ?DeviceType=WP8&Cmd=Provision&DeviceId=12345678901
>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> HEADERS
>>>>>>>>>>
>>>>>>>>>> *Accept:* */*
>>>>>>>>>>
>>>>>>>>>> *Accept-Encoding:* gzip, deflate
>>>>>>>>>>
>>>>>>>>>> *Accept-Language:* de
>>>>>>>>>>
>>>>>>>>>> *Authorization:* Basic YWRtaW5Ab25rZWxtLmNvbTpCZDMwMDQ4NCM5NjQ0MA==
>>>>>>>>>>
>>>>>>>>>> *Cache-Control:* no-cache
>>>>>>>>>>
>>>>>>>>>> *Connection:* Keep-Alive
>>>>>>>>>>
>>>>>>>>>> *Content-Length:* 600
>>>>>>>>>>
>>>>>>>>>> *Content-Type:* application/vnd.ms-sync.wbxml
>>>>>>>>>>
>>>>>>>>>> *Host:* horde-host
>>>>>>>>>>
>>>>>>>>>> *Ms-Asprotocolversion:* 14.0
>>>>>>>>>>
>>>>>>>>>> *User-Agent:* runscope/0.1,ASOM
>>>>>>>>>>
>>>>>>>>>> *X-Ms-Policykey:* 0
>>>>>>>>>> QUERYSTRING
>>>>>>>>>>
>>>>>>>>>> *Cmd:* Provision
>>>>>>>>>>
>>>>>>>>>> *DeviceId:* 12345678901
>>>>>>>>>>
>>>>>>>>>> *DeviceType:* WP8
>>>>>>>>>> BODY
>>>>>>>>>>
>>>>>>>>>> <?xml version="1.0" encoding="utf-8" ?><Provision
>>>>>>>>>> xmlns="Provision:">
>>>>>>>>>> <DeviceInformation
>>>>>>>>>> xmlns="Settings:">
>>>>>>>>>> <Set>
>>>>>>>>>> <Model>RM-821_eu_euro2_248</Model>
>>>>>>>>>> <IMEI>imeiimeiimeiimeiimei</IMEI>
>>>>>>>>>> <FriendlyName>Lumia 920</FriendlyName>
>>>>>>>>>> <OS>Windows Phone 8.0.9903</OS>
>>>>>>>>>> <OSLanguage>German</OSLanguage>
>>>>>>>>>> <PhoneNumber>+0152xxxxxxxx</PhoneNumber>
>>>>>>>>>> <UserAgent>MSFT-WP/8.0.9903</UserAgent>
>>>>>>>>>> <EnableOutboundSMS>0</EnableOutboundSMS>
>>>>>>>>>> </Set>
>>>>>>>>>> </DeviceInformation>
>>>>>>>>>> <Policies>
>>>>>>>>>> <Policy>
>>>>>>>>>> <PolicyType>MS-EAS-Provisioning-WBXML</PolicyType>
>>>>>>>>>> </Policy>
>>>>>>>>>> </Policies></Provision>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> And Horde is answering this:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>> 401 Unauthorized
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> HEADERS
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> *Allow:* OPTIONS,POST
>>>>>>>>>>
>>>>>>>>>> *Cache-Control:* private, max-age=10800, pre-check=10800
>>>>>>>>>>
>>>>>>>>>> *Connection:* Keep-Alive
>>>>>>>>>>
>>>>>>>>>> *Content-Encoding:* gzip
>>>>>>>>>>
>>>>>>>>>> *Content-Type:* text/html
>>>>>>>>>>
>>>>>>>>>> *Date:* Mon, 08 Jun 2015 18:17:07 GMT
>>>>>>>>>>
>>>>>>>>>> *Expires:* Thu, 19 Nov 1981 08:52:00 GMT
>>>>>>>>>>
>>>>>>>>>> *Keep-Alive:* timeout=2, max=1000
>>>>>>>>>>
>>>>>>>>>> *Last-Modified:* Fri, 05 Jun 2015 15:28:26 GMT
>>>>>>>>>>
>>>>>>>>>> *Ms-Asprotocolcommands:*
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>> Sync,SendMail,SmartForward,SmartReply,GetAttachment,GetHierarchy,CreateCollection,DeleteCollection,MoveCollection,FolderSync,FolderCreate,FolderDelete,FolderUpdate,MoveItems,GetItemEstimate,MeetingResponse,Search,Settings,Ping,ItemOperations,Provision,ResolveRecipients,ValidateCert
>>>
>>>>
>>>>>>>>>> *Ms-Asprotocolversions:* 2.5,12.0,12.1,14.0,14.1
>>>>>>>>>>
>>>>>>>>>> *Ms-Server-Activesync:* 14.2
>>>>>>>>>>
>>>>>>>>>> *Public:* OPTIONS,POST
>>>>>>>>>>
>>>>>>>>>> *Server:* Apache
>>>>>>>>>>
>>>>>>>>>> *Set-Cookie:* PHPSESSID=8f3379819e428da3e5e28cf0b60c872c; path=/
>>>>>>>>>>
>>>>>>>>>> *Transfer-Encoding:* chunked
>>>>>>>>>>
>>>>>>>>>> *Vary:* Accept-Encoding
>>>>>>>>>>
>>>>>>>>>> *Www-Authenticate:* Basic realm="Horde ActiveSync"
>>>>>>>>>> BODY
>>>>>>>>>>
>>>>>>>>>> (empty)
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Why is Horde not accepting my login ?
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Could be a number of reasons: Misconfigured ActiveSync settings
>>>>>>>> (configured to use full email address as username but only sending
>>>>>>>> username, or the reverse), misconfigured auth hooks, x509 cert
>>>>>>>> misuse/configuration etc...
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> mike
>>>>>>>> The Horde Project
>>>>>>>> http://www.horde.org
>>>>>>>> https://www.facebook.com/hordeproject
>>>>>>>> https://www.twitter.com/hordeproject
>>>>>>>>
>>>>>>>> --
>>>>>>>> Horde mailing list
>>>>>>>> Frequently Asked Questions: http://horde.org/faq/
>>>>>>>> To unsubscribe, mail: horde-unsubscribe at lists.horde.org
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>
>>>>>> --
>>>>>> mike
>>>>>> The Horde Project
>>>>>> http://www.horde.org
>>>>>> https://www.facebook.com/hordeproject
>>>>>> https://www.twitter.com/hordeproject
>>>>>>
>>>>>> --
>>>>>> Horde mailing list
>>>>>> Frequently Asked Questions: http://horde.org/faq/
>>>>>> To unsubscribe, mail: horde-unsubscribe at lists.horde.org
>>>>>>
>>>>>>
>>>>>>
>>>>> Does your auth backend require full email addresses as usernames?
>>>>>
>>>>>
>>>>> do you mean the horde setting or the imap login?
>>>>> horde is configured to use full email address with @ and host,
>>>>> tried to login to my imap server with the full email address as username
>>>>> and password and it worked
>>>>> i can login to webmail in horde with the full email address as the login
>>>>> name and the password.
>>>>>
>>>>
>>>>
>>>> ...and this is what you have explicitly typed into the ActiveSync client?
>>>>
>>>>
>>>> --
>>>> mike
>>>> The Horde Project
>>>> http://www.horde.org
>>>> https://www.facebook.com/hordeproject
>>>> https://www.twitter.com/hordeproject
>>>>
>>>> --
>>>> Horde mailing list
>>>> Frequently Asked Questions: http://horde.org/faq/
>>>> To unsubscribe, mail: horde-unsubscribe at lists.horde.org
>>>>
>>>>
>>> Sure i did it. I made sure i typed the username and password correctly
>>> letter by letter.
>>>
>>
>> Then you are going to have to find out why Horde isn't receiving the
>> correct password. Other possibilities are that the user in question doesn't
>> have permissions to use ActiveSync - you can check this in the
>> administrative permissions interface. Check the Horde log for any hints as
>> well.
>>
>>
>>
>> --
>> mike
>> The Horde Project
>> http://www.horde.org
>> https://www.facebook.com/hordeproject
>> https://www.twitter.com/hordeproject
>>
>> --
>> Horde mailing list
>> Frequently Asked Questions: http://horde.org/faq/
>> To unsubscribe, mail: horde-unsubscribe at lists.horde.org
>>
>>
>
> Found the problem. It was indeed the mod_rewrite Prefix "REDIRECT_".
>
> Have to change the file*
> /framework/ActiveSync/lib/Horde/ActiveSync/Credentials.php*
> *from:*
>
>> } elseif (!empty($serverVars['HTTP_AUTHORIZATION']) ||
>> !empty($serverVars['Authorization'])) {
>> // Some clients use the non-standard 'Authorization' header.
>> $authorization = !empty($serverVars['HTTP_AUTHORIZATION'])
>> ? $serverVars['HTTP_AUTHORIZATION']
>
>
> *to:*
>
>> } elseif (!empty($serverVars['*REDIRECT_*HTTP_AUTHORIZATION']) ||
>> !empty($serverVars['Authorization'])) {
>> // Some clients use the non-standard 'Authorization' header.
>> $authorization = !empty($serverVars['*REDIRECT_*
>> HTTP_AUTHORIZATION'])
>> ? $serverVars['*REDIRECT_*HTTP_AUTHORIZATION']
>
>
> maybe for outlook we also need to change the file
> /framework/ActiveSync/lib/Horde/ActiveSync/Request/Autodiscover.php as well
> *from:*
>
>> if (empty($values) && !empty($server['HTTP_AUTHORIZATION'])) {
>> $hash = base64_decode(str_replace('Basic ', '',
>> $server['HTTP_AUTHORIZATION']));
>
>
> *to:*
>
>> if (empty($values) &&
>> !empty($server['*REDIRECT_*HTTP_AUTHORIZATION']))
>> {
>> $hash = base64_decode(str_replace('Basic ', '', $server['
>> *REDIRECT_*HTTP_AUTHORIZATION']));
>
>
>
>
> can someone add this to the git branch?
> for example like this: ?
>
>> *$http_auth = !empty($server['HTTP_AUTHORIZATION']) ?
>> $server['HTTP_AUTHORIZATION'] :
>> !empty($server['REDIRECT_HTTP_AUTHORIZATION']) ?
>> $server['REDIRECT_HTTP_AUTHORIZATION] : "";*
>> if (empty($values) && !empty(*$http_auth*)) {
>> $hash = base64_decode(str_replace('Basic ', '', *$http_auth*);
>
>
> and the other file like this: ?
>
> * $http_auth = !empty($serverVars['HTTP_AUTHORIZATION']) ?
>> $serverVars['HTTP_AUTHORIZATION'] :
>> !empty($serverVars['REDIRECT_HTTP_AUTHORIZATION']) ?
>> $serverVars['REDIRECT_HTTP_AUTHORIZATION'] : "";*
>
> if (!empty($serverVars['PHP_AUTH_PW'])) {
>> $user = $serverVars['PHP_AUTH_USER'];
>> $pass = $serverVars['PHP_AUTH_PW'];
>> } elseif (!empty(*$http_auth*) ||
>> !empty($serverVars['Authorization'])) {
>> // Some clients use the non-standard 'Authorization' header.
>> $authorization = !empty(*$http_auth*)
>> ? *$http_auth*
>> : $serverVars['Authorization'];
No, this can of workaround does not belong in code. You need to ensure
the auth data is correctly passed in an appropriate environment
variable. This is already discussed on the wiki page. See
http://wiki.horde.org/ActiveSync
--
mike
The Horde Project
http://www.horde.org
https://www.facebook.com/hordeproject
https://www.twitter.com/hordeproject
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5869 bytes
Desc: S/MIME Signature
URL: <http://lists.horde.org/archives/horde/attachments/20150609/7db4705b/attachment.bin>
More information about the horde
mailing list