[horde] ActiveSync not authenticating - 401 Unauthorized
Michael J Rubinsky
mrubinsk at horde.org
Tue Jun 9 20:44:08 UTC 2015
Quoting OnkelM <onkelm08 at gmail.com>:
> 2015-06-09 18:40 GMT+02:00 Michael J Rubinsky <mrubinsk at horde.org>:
>
>>
>> Quoting OnkelM <onkelm08 at gmail.com>:
>>
>> 2015-06-08 22:34 GMT+02:00 Michael J Rubinsky <mrubinsk at horde.org>:
>>>
>>>
>>>> Quoting OnkelM <onkelm08 at gmail.com>:
>>>>
>>>> Am 08.06.2015 9:45 nachm. schrieb "Michael J Rubinsky" <
>>>>
>>>>> mrubinsk at horde.org>:
>>>>>
>>>>>
>>>>>>
>>>>>> Quoting OnkelM <onkelm08 at gmail.com>:
>>>>>>
>>>>>> 2015-06-08 21:19 GMT+02:00 Michael J Rubinsky <mrubinsk at horde.org>:
>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Quoting OnkelM <onkelm08 at gmail.com>:
>>>>>>>>
>>>>>>>> Hi Michael,
>>>>>>>>
>>>>>>>>
>>>>>>>>>
>>>>>>>>> here is my config:
>>>>>>>>>
>>>>>>>>> $conf['auth']['params']['app'] = 'imp';
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> $conf['activesync']['auth']['type'] = 'basic';
>>>>>>>>>
>>>>>>>>> $conf['activesync']['autodiscovery'] = 'full';
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Does your auth backend require full email addresses as usernames?
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> $conf['activesync']['enabled'] = true;
>>>>>>>>
>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> i am not using auth hooks, only the default settings
>>>>>>>>>
>>>>>>>>> so... where should is start to track it down? how?
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Gruß
>>>>>>>>>
>>>>>>>>> 2015-06-08 20:39 GMT+02:00 Michael J Rubinsky <mrubinsk at horde.org>:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Quoting OnkelM <onkelm08 at gmail.com>:
>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Hello,
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> how is this happening? I made the following test request:
>>>>>>>>>>>
>>>>>>>>>>> POST https://horde-host/Microsoft-Server-ActiveSync
>>>>>>>>>>>
>>>>>>>>>>> ?DeviceType=WP8&Cmd=Provision&DeviceId=12345678901
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> HEADERS
>>>>>>>>>>>>
>>>>>>>>>>>> *Accept:* */*
>>>>>>>>>>>>
>>>>>>>>>>>> *Accept-Encoding:* gzip, deflate
>>>>>>>>>>>>
>>>>>>>>>>>> *Accept-Language:* de
>>>>>>>>>>>>
>>>>>>>>>>>> *Authorization:* Basic
>>>>>>>>>>>> YWRtaW5Ab25rZWxtLmNvbTpCZDMwMDQ4NCM5NjQ0MA==
>>>>>>>>>>>>
>>>>>>>>>>>> *Cache-Control:* no-cache
>>>>>>>>>>>>
>>>>>>>>>>>> *Connection:* Keep-Alive
>>>>>>>>>>>>
>>>>>>>>>>>> *Content-Length:* 600
>>>>>>>>>>>>
>>>>>>>>>>>> *Content-Type:* application/vnd.ms-sync.wbxml
>>>>>>>>>>>>
>>>>>>>>>>>> *Host:* horde-host
>>>>>>>>>>>>
>>>>>>>>>>>> *Ms-Asprotocolversion:* 14.0
>>>>>>>>>>>>
>>>>>>>>>>>> *User-Agent:* runscope/0.1,ASOM
>>>>>>>>>>>>
>>>>>>>>>>>> *X-Ms-Policykey:* 0
>>>>>>>>>>>> QUERYSTRING
>>>>>>>>>>>>
>>>>>>>>>>>> *Cmd:* Provision
>>>>>>>>>>>>
>>>>>>>>>>>> *DeviceId:* 12345678901
>>>>>>>>>>>>
>>>>>>>>>>>> *DeviceType:* WP8
>>>>>>>>>>>> BODY
>>>>>>>>>>>>
>>>>>>>>>>>> <?xml version="1.0" encoding="utf-8" ?><Provision
>>>>>>>>>>>> xmlns="Provision:">
>>>>>>>>>>>> <DeviceInformation
>>>>>>>>>>>> xmlns="Settings:">
>>>>>>>>>>>> <Set>
>>>>>>>>>>>> <Model>RM-821_eu_euro2_248</Model>
>>>>>>>>>>>> <IMEI>imeiimeiimeiimeiimei</IMEI>
>>>>>>>>>>>> <FriendlyName>Lumia 920</FriendlyName>
>>>>>>>>>>>> <OS>Windows Phone 8.0.9903</OS>
>>>>>>>>>>>> <OSLanguage>German</OSLanguage>
>>>>>>>>>>>> <PhoneNumber>+0152xxxxxxxx</PhoneNumber>
>>>>>>>>>>>> <UserAgent>MSFT-WP/8.0.9903</UserAgent>
>>>>>>>>>>>> <EnableOutboundSMS>0</EnableOutboundSMS>
>>>>>>>>>>>> </Set>
>>>>>>>>>>>> </DeviceInformation>
>>>>>>>>>>>> <Policies>
>>>>>>>>>>>> <Policy>
>>>>>>>>>>>> <PolicyType>MS-EAS-Provisioning-WBXML</PolicyType>
>>>>>>>>>>>> </Policy>
>>>>>>>>>>>> </Policies></Provision>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> And Horde is answering this:
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> 401 Unauthorized
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> HEADERS
>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>> *Allow:* OPTIONS,POST
>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> *Cache-Control:* private, max-age=10800, pre-check=10800
>>>>>>>>>>>>
>>>>>>>>>>>> *Connection:* Keep-Alive
>>>>>>>>>>>>
>>>>>>>>>>>> *Content-Encoding:* gzip
>>>>>>>>>>>>
>>>>>>>>>>>> *Content-Type:* text/html
>>>>>>>>>>>>
>>>>>>>>>>>> *Date:* Mon, 08 Jun 2015 18:17:07 GMT
>>>>>>>>>>>>
>>>>>>>>>>>> *Expires:* Thu, 19 Nov 1981 08:52:00 GMT
>>>>>>>>>>>>
>>>>>>>>>>>> *Keep-Alive:* timeout=2, max=1000
>>>>>>>>>>>>
>>>>>>>>>>>> *Last-Modified:* Fri, 05 Jun 2015 15:28:26 GMT
>>>>>>>>>>>>
>>>>>>>>>>>> *Ms-Asprotocolcommands:*
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>> Sync,SendMail,SmartForward,SmartReply,GetAttachment,GetHierarchy,CreateCollection,DeleteCollection,MoveCollection,FolderSync,FolderCreate,FolderDelete,FolderUpdate,MoveItems,GetItemEstimate,MeetingResponse,Search,Settings,Ping,ItemOperations,Provision,ResolveRecipients,ValidateCert
>>>>>
>>>>>
>>>>>> *Ms-Asprotocolversions:* 2.5,12.0,12.1,14.0,14.1
>>>>>>>>>>>>
>>>>>>>>>>>> *Ms-Server-Activesync:* 14.2
>>>>>>>>>>>>
>>>>>>>>>>>> *Public:* OPTIONS,POST
>>>>>>>>>>>>
>>>>>>>>>>>> *Server:* Apache
>>>>>>>>>>>>
>>>>>>>>>>>> *Set-Cookie:* PHPSESSID=8f3379819e428da3e5e28cf0b60c872c; path=/
>>>>>>>>>>>>
>>>>>>>>>>>> *Transfer-Encoding:* chunked
>>>>>>>>>>>>
>>>>>>>>>>>> *Vary:* Accept-Encoding
>>>>>>>>>>>>
>>>>>>>>>>>> *Www-Authenticate:* Basic realm="Horde ActiveSync"
>>>>>>>>>>>> BODY
>>>>>>>>>>>>
>>>>>>>>>>>> (empty)
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> Why is Horde not accepting my login ?
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Could be a number of reasons: Misconfigured ActiveSync settings
>>>>>>>>>>>
>>>>>>>>>> (configured to use full email address as username but only sending
>>>>>>>>>> username, or the reverse), misconfigured auth hooks, x509 cert
>>>>>>>>>> misuse/configuration etc...
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> mike
>>>>>>>>>> The Horde Project
>>>>>>>>>> http://www.horde.org
>>>>>>>>>> https://www.facebook.com/hordeproject
>>>>>>>>>> https://www.twitter.com/hordeproject
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Horde mailing list
>>>>>>>>>> Frequently Asked Questions: http://horde.org/faq/
>>>>>>>>>> To unsubscribe, mail: horde-unsubscribe at lists.horde.org
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>> --
>>>>>>>> mike
>>>>>>>> The Horde Project
>>>>>>>> http://www.horde.org
>>>>>>>> https://www.facebook.com/hordeproject
>>>>>>>> https://www.twitter.com/hordeproject
>>>>>>>>
>>>>>>>> --
>>>>>>>> Horde mailing list
>>>>>>>> Frequently Asked Questions: http://horde.org/faq/
>>>>>>>> To unsubscribe, mail: horde-unsubscribe at lists.horde.org
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Does your auth backend require full email addresses as usernames?
>>>>>>>
>>>>>>>
>>>>>>> do you mean the horde setting or the imap login?
>>>>>>> horde is configured to use full email address with @ and host,
>>>>>>> tried to login to my imap server with the full email address as
>>>>>>> username
>>>>>>> and password and it worked
>>>>>>> i can login to webmail in horde with the full email address as the
>>>>>>> login
>>>>>>> name and the password.
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> ...and this is what you have explicitly typed into the ActiveSync
>>>>>> client?
>>>>>>
>>>>>>
>>>>>> --
>>>>>> mike
>>>>>> The Horde Project
>>>>>> http://www.horde.org
>>>>>> https://www.facebook.com/hordeproject
>>>>>> https://www.twitter.com/hordeproject
>>>>>>
>>>>>> --
>>>>>> Horde mailing list
>>>>>> Frequently Asked Questions: http://horde.org/faq/
>>>>>> To unsubscribe, mail: horde-unsubscribe at lists.horde.org
>>>>>>
>>>>>>
>>>>>> Sure i did it. I made sure i typed the username and password correctly
>>>>> letter by letter.
>>>>>
>>>>>
>>>> Then you are going to have to find out why Horde isn't receiving the
>>>> correct password. Other possibilities are that the user in question
>>>> doesn't
>>>> have permissions to use ActiveSync - you can check this in the
>>>> administrative permissions interface. Check the Horde log for any hints
>>>> as
>>>> well.
>>>>
>>>>
>>>>
>>>> --
>>>> mike
>>>> The Horde Project
>>>> http://www.horde.org
>>>> https://www.facebook.com/hordeproject
>>>> https://www.twitter.com/hordeproject
>>>>
>>>> --
>>>> Horde mailing list
>>>> Frequently Asked Questions: http://horde.org/faq/
>>>> To unsubscribe, mail: horde-unsubscribe at lists.horde.org
>>>>
>>>>
>>>>
>>> Found the problem. It was indeed the mod_rewrite Prefix "REDIRECT_".
>>>
>>> Have to change the file*
>>> /framework/ActiveSync/lib/Horde/ActiveSync/Credentials.php*
>>> *from:*
>>>
>>> } elseif (!empty($serverVars['HTTP_AUTHORIZATION']) ||
>>>> !empty($serverVars['Authorization'])) {
>>>> // Some clients use the non-standard 'Authorization' header.
>>>> $authorization = !empty($serverVars['HTTP_AUTHORIZATION'])
>>>> ? $serverVars['HTTP_AUTHORIZATION']
>>>>
>>>
>>>
>>> *to:*
>>>
>>> } elseif (!empty($serverVars['*REDIRECT_*HTTP_AUTHORIZATION']) ||
>>>> !empty($serverVars['Authorization'])) {
>>>> // Some clients use the non-standard 'Authorization' header.
>>>> $authorization = !empty($serverVars['*REDIRECT_*
>>>> HTTP_AUTHORIZATION'])
>>>> ? $serverVars['*REDIRECT_*HTTP_AUTHORIZATION']
>>>>
>>>
>>>
>>> maybe for outlook we also need to change the file
>>> /framework/ActiveSync/lib/Horde/ActiveSync/Request/Autodiscover.php as
>>> well
>>> *from:*
>>>
>>> if (empty($values) && !empty($server['HTTP_AUTHORIZATION'])) {
>>>> $hash = base64_decode(str_replace('Basic ', '',
>>>> $server['HTTP_AUTHORIZATION']));
>>>>
>>>
>>>
>>> *to:*
>>>
>>> if (empty($values) &&
>>>> !empty($server['*REDIRECT_*HTTP_AUTHORIZATION']))
>>>> {
>>>> $hash = base64_decode(str_replace('Basic ', '', $server['
>>>> *REDIRECT_*HTTP_AUTHORIZATION']));
>>>>
>>>
>>>
>>>
>>>
>>> can someone add this to the git branch?
>>> for example like this: ?
>>>
>>> *$http_auth = !empty($server['HTTP_AUTHORIZATION']) ?
>>>> $server['HTTP_AUTHORIZATION'] :
>>>> !empty($server['REDIRECT_HTTP_AUTHORIZATION']) ?
>>>> $server['REDIRECT_HTTP_AUTHORIZATION] : "";*
>>>> if (empty($values) && !empty(*$http_auth*)) {
>>>> $hash = base64_decode(str_replace('Basic ', '',
>>>> *$http_auth*);
>>>>
>>>
>>>
>>> and the other file like this: ?
>>>
>>> * $http_auth = !empty($serverVars['HTTP_AUTHORIZATION']) ?
>>>
>>>> $serverVars['HTTP_AUTHORIZATION'] :
>>>> !empty($serverVars['REDIRECT_HTTP_AUTHORIZATION']) ?
>>>> $serverVars['REDIRECT_HTTP_AUTHORIZATION'] : "";*
>>>>
>>>
>>> if (!empty($serverVars['PHP_AUTH_PW'])) {
>>>
>>>> $user = $serverVars['PHP_AUTH_USER'];
>>>> $pass = $serverVars['PHP_AUTH_PW'];
>>>> } elseif (!empty(*$http_auth*) ||
>>>> !empty($serverVars['Authorization'])) {
>>>> // Some clients use the non-standard 'Authorization' header.
>>>> $authorization = !empty(*$http_auth*)
>>>> ? *$http_auth*
>>>> : $serverVars['Authorization'];
>>>>
>>>
>>
>> No, this can of workaround does not belong in code. You need to ensure the
>> auth data is correctly passed in an appropriate environment variable. This
>> is already discussed on the wiki page. See
>> http://wiki.horde.org/ActiveSync
>>
>>
>>
>>
>> --
>> mike
>> The Horde Project
>> http://www.horde.org
>> https://www.facebook.com/hordeproject
>> https://www.twitter.com/hordeproject
>>
>> --
>> Horde mailing list
>> Frequently Asked Questions: http://horde.org/faq/
>> To unsubscribe, mail: horde-unsubscribe at lists.horde.org
>>
>>
>
> if that (workaround) (in fact it is a redirect feature from apache 2 that
> you cannot control untill you have access to the apache server..., )
So, you cannot set those directives in an .htaccess file? If not, how
did you configure the redirects needed for ActiveSync in the first
place?
> (HTTP_
> is a prefix feature too...)
> does not belong in code...
> how come, the same code/workaround is available in the files
> */libs/Sabre/HTTP/BasicAuth.php* and */libs/Sabre/HTTP/DigestAuth.php* ?
That is a third party library that we bundle. They chose to include it
- that is their decision. We explicitly check for the
HTTP_AUTHORIZATION environment variable in code - as many other PHP
framework libraries do, including ZF. A quick google search will so
the same .htaccess configuration suggested.
> are you saying that horde is not made for running on managed webhosting
> packages?
No, not at all. I'm saying you do need some minimum amount of
configuration ability though.
--
mike
The Horde Project
http://www.horde.org
https://www.facebook.com/hordeproject
https://www.twitter.com/hordeproject
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5869 bytes
Desc: S/MIME Signature
URL: <http://lists.horde.org/archives/horde/attachments/20150609/a603a3a2/attachment.bin>
More information about the horde
mailing list