[horde] ActiveSync not authenticating - 401 Unauthorized
OnkelM
onkelm08 at gmail.com
Wed Jun 10 04:50:53 UTC 2015
Am 09.06.2015 10:44 nachm. schrieb "Michael J Rubinsky" <mrubinsk at horde.org
>:
>
>
> Quoting OnkelM <onkelm08 at gmail.com>:
>
>> 2015-06-09 18:40 GMT+02:00 Michael J Rubinsky <mrubinsk at horde.org>:
>>
>>>
>>> Quoting OnkelM <onkelm08 at gmail.com>:
>>>
>>> 2015-06-08 22:34 GMT+02:00 Michael J Rubinsky <mrubinsk at horde.org>:
>>>>
>>>>
>>>>
>>>>> Quoting OnkelM <onkelm08 at gmail.com>:
>>>>>
>>>>> Am 08.06.2015 9:45 nachm. schrieb "Michael J Rubinsky" <
>>>>>
>>>>>> mrubinsk at horde.org>:
>>>>>>
>>>>>>
>>>>>>>
>>>>>>> Quoting OnkelM <onkelm08 at gmail.com>:
>>>>>>>
>>>>>>> 2015-06-08 21:19 GMT+02:00 Michael J Rubinsky <mrubinsk at horde.org>:
>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Quoting OnkelM <onkelm08 at gmail.com>:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Hi Michael,
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> here is my config:
>>>>>>>>>>
>>>>>>>>>> $conf['auth']['params']['app'] = 'imp';
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> $conf['activesync']['auth']['type'] = 'basic';
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> $conf['activesync']['autodiscovery'] = 'full';
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Does your auth backend require full email addresses as
usernames?
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> $conf['activesync']['enabled'] = true;
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> i am not using auth hooks, only the default settings
>>>>>>>>>>
>>>>>>>>>> so... where should is start to track it down? how?
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Gruß
>>>>>>>>>>
>>>>>>>>>> 2015-06-08 20:39 GMT+02:00 Michael J Rubinsky <mrubinsk at horde.org
>:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Quoting OnkelM <onkelm08 at gmail.com>:
>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Hello,
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> how is this happening? I made the following test request:
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> POST https://horde-host/Microsoft-Server-ActiveSync
>>>>>>>>>>>>
>>>>>>>>>>>> ?DeviceType=WP8&Cmd=Provision&DeviceId=12345678901
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> HEADERS
>>>>>>>>>>>>>
>>>>>>>>>>>>> *Accept:* */*
>>>>>>>>>>>>>
>>>>>>>>>>>>> *Accept-Encoding:* gzip, deflate
>>>>>>>>>>>>>
>>>>>>>>>>>>> *Accept-Language:* de
>>>>>>>>>>>>>
>>>>>>>>>>>>> *Authorization:* Basic
>>>>>>>>>>>>> YWRtaW5Ab25rZWxtLmNvbTpCZDMwMDQ4NCM5NjQ0MA==
>>>>>>>>>>>>>
>>>>>>>>>>>>> *Cache-Control:* no-cache
>>>>>>>>>>>>>
>>>>>>>>>>>>> *Connection:* Keep-Alive
>>>>>>>>>>>>>
>>>>>>>>>>>>> *Content-Length:* 600
>>>>>>>>>>>>>
>>>>>>>>>>>>> *Content-Type:* application/vnd.ms-sync.wbxml
>>>>>>>>>>>>>
>>>>>>>>>>>>> *Host:* horde-host
>>>>>>>>>>>>>
>>>>>>>>>>>>> *Ms-Asprotocolversion:* 14.0
>>>>>>>>>>>>>
>>>>>>>>>>>>> *User-Agent:* runscope/0.1,ASOM
>>>>>>>>>>>>>
>>>>>>>>>>>>> *X-Ms-Policykey:* 0
>>>>>>>>>>>>> QUERYSTRING
>>>>>>>>>>>>>
>>>>>>>>>>>>> *Cmd:* Provision
>>>>>>>>>>>>>
>>>>>>>>>>>>> *DeviceId:* 12345678901
>>>>>>>>>>>>>
>>>>>>>>>>>>> *DeviceType:* WP8
>>>>>>>>>>>>> BODY
>>>>>>>>>>>>>
>>>>>>>>>>>>> <?xml version="1.0" encoding="utf-8" ?><Provision
>>>>>>>>>>>>> xmlns="Provision:">
>>>>>>>>>>>>> <DeviceInformation
>>>>>>>>>>>>> xmlns="Settings:">
>>>>>>>>>>>>> <Set>
>>>>>>>>>>>>> <Model>RM-821_eu_euro2_248</Model>
>>>>>>>>>>>>> <IMEI>imeiimeiimeiimeiimei</IMEI>
>>>>>>>>>>>>> <FriendlyName>Lumia 920</FriendlyName>
>>>>>>>>>>>>> <OS>Windows Phone 8.0.9903</OS>
>>>>>>>>>>>>> <OSLanguage>German</OSLanguage>
>>>>>>>>>>>>> <PhoneNumber>+0152xxxxxxxx</PhoneNumber>
>>>>>>>>>>>>> <UserAgent>MSFT-WP/8.0.9903</UserAgent>
>>>>>>>>>>>>> <EnableOutboundSMS>0</EnableOutboundSMS>
>>>>>>>>>>>>> </Set>
>>>>>>>>>>>>> </DeviceInformation>
>>>>>>>>>>>>> <Policies>
>>>>>>>>>>>>> <Policy>
>>>>>>>>>>>>> <PolicyType>MS-EAS-Provisioning-WBXML</PolicyType>
>>>>>>>>>>>>> </Policy>
>>>>>>>>>>>>> </Policies></Provision>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> And Horde is answering this:
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> 401 Unauthorized
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> HEADERS
>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>> *Allow:* OPTIONS,POST
>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> *Cache-Control:* private, max-age=10800, pre-check=10800
>>>>>>>>>>>>>
>>>>>>>>>>>>> *Connection:* Keep-Alive
>>>>>>>>>>>>>
>>>>>>>>>>>>> *Content-Encoding:* gzip
>>>>>>>>>>>>>
>>>>>>>>>>>>> *Content-Type:* text/html
>>>>>>>>>>>>>
>>>>>>>>>>>>> *Date:* Mon, 08 Jun 2015 18:17:07 GMT
>>>>>>>>>>>>>
>>>>>>>>>>>>> *Expires:* Thu, 19 Nov 1981 08:52:00 GMT
>>>>>>>>>>>>>
>>>>>>>>>>>>> *Keep-Alive:* timeout=2, max=1000
>>>>>>>>>>>>>
>>>>>>>>>>>>> *Last-Modified:* Fri, 05 Jun 2015 15:28:26 GMT
>>>>>>>>>>>>>
>>>>>>>>>>>>> *Ms-Asprotocolcommands:*
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>
Sync,SendMail,SmartForward,SmartReply,GetAttachment,GetHierarchy,CreateCollection,DeleteCollection,MoveCollection,FolderSync,FolderCreate,FolderDelete,FolderUpdate,MoveItems,GetItemEstimate,MeetingResponse,Search,Settings,Ping,ItemOperations,Provision,ResolveRecipients,ValidateCert
>>>>>>
>>>>>>
>>>>>>> *Ms-Asprotocolversions:* 2.5,12.0,12.1,14.0,14.1
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> *Ms-Server-Activesync:* 14.2
>>>>>>>>>>>>>
>>>>>>>>>>>>> *Public:* OPTIONS,POST
>>>>>>>>>>>>>
>>>>>>>>>>>>> *Server:* Apache
>>>>>>>>>>>>>
>>>>>>>>>>>>> *Set-Cookie:* PHPSESSID=8f3379819e428da3e5e28cf0b60c872c;
path=/
>>>>>>>>>>>>>
>>>>>>>>>>>>> *Transfer-Encoding:* chunked
>>>>>>>>>>>>>
>>>>>>>>>>>>> *Vary:* Accept-Encoding
>>>>>>>>>>>>>
>>>>>>>>>>>>> *Www-Authenticate:* Basic realm="Horde ActiveSync"
>>>>>>>>>>>>> BODY
>>>>>>>>>>>>>
>>>>>>>>>>>>> (empty)
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> Why is Horde not accepting my login ?
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> Could be a number of reasons: Misconfigured ActiveSync
settings
>>>>>>>>>>>>
>>>>>>>>>>> (configured to use full email address as username but only
sending
>>>>>>>>>>> username, or the reverse), misconfigured auth hooks, x509 cert
>>>>>>>>>>> misuse/configuration etc...
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> mike
>>>>>>>>>>> The Horde Project
>>>>>>>>>>> http://www.horde.org
>>>>>>>>>>> https://www.facebook.com/hordeproject
>>>>>>>>>>> https://www.twitter.com/hordeproject
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> Horde mailing list
>>>>>>>>>>> Frequently Asked Questions: http://horde.org/faq/
>>>>>>>>>>> To unsubscribe, mail: horde-unsubscribe at lists.horde.org
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> mike
>>>>>>>>> The Horde Project
>>>>>>>>> http://www.horde.org
>>>>>>>>> https://www.facebook.com/hordeproject
>>>>>>>>> https://www.twitter.com/hordeproject
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Horde mailing list
>>>>>>>>> Frequently Asked Questions: http://horde.org/faq/
>>>>>>>>> To unsubscribe, mail: horde-unsubscribe at lists.horde.org
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Does your auth backend require full email addresses as usernames?
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> do you mean the horde setting or the imap login?
>>>>>>>> horde is configured to use full email address with @ and host,
>>>>>>>> tried to login to my imap server with the full email address as
>>>>>>>> username
>>>>>>>> and password and it worked
>>>>>>>> i can login to webmail in horde with the full email address as the
>>>>>>>> login
>>>>>>>> name and the password.
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> ...and this is what you have explicitly typed into the ActiveSync
>>>>>>> client?
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> mike
>>>>>>> The Horde Project
>>>>>>> http://www.horde.org
>>>>>>> https://www.facebook.com/hordeproject
>>>>>>> https://www.twitter.com/hordeproject
>>>>>>>
>>>>>>> --
>>>>>>> Horde mailing list
>>>>>>> Frequently Asked Questions: http://horde.org/faq/
>>>>>>> To unsubscribe, mail: horde-unsubscribe at lists.horde.org
>>>>>>>
>>>>>>>
>>>>>>> Sure i did it. I made sure i typed the username and password
correctly
>>>>>>
>>>>>> letter by letter.
>>>>>>
>>>>>>
>>>>> Then you are going to have to find out why Horde isn't receiving the
>>>>> correct password. Other possibilities are that the user in question
>>>>> doesn't
>>>>> have permissions to use ActiveSync - you can check this in the
>>>>> administrative permissions interface. Check the Horde log for any
hints
>>>>> as
>>>>> well.
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> mike
>>>>> The Horde Project
>>>>> http://www.horde.org
>>>>> https://www.facebook.com/hordeproject
>>>>> https://www.twitter.com/hordeproject
>>>>>
>>>>> --
>>>>> Horde mailing list
>>>>> Frequently Asked Questions: http://horde.org/faq/
>>>>> To unsubscribe, mail: horde-unsubscribe at lists.horde.org
>>>>>
>>>>>
>>>>>
>>>> Found the problem. It was indeed the mod_rewrite Prefix "REDIRECT_".
>>>>
>>>> Have to change the file*
>>>> /framework/ActiveSync/lib/Horde/ActiveSync/Credentials.php*
>>>> *from:*
>>>>
>>>> } elseif (!empty($serverVars['HTTP_AUTHORIZATION']) ||
>>>>>
>>>>> !empty($serverVars['Authorization'])) {
>>>>> // Some clients use the non-standard 'Authorization'
header.
>>>>> $authorization = !empty($serverVars['HTTP_AUTHORIZATION'])
>>>>> ? $serverVars['HTTP_AUTHORIZATION']
>>>>>
>>>>
>>>>
>>>> *to:*
>>>>
>>>> } elseif
(!empty($serverVars['*REDIRECT_*HTTP_AUTHORIZATION']) ||
>>>>>
>>>>> !empty($serverVars['Authorization'])) {
>>>>> // Some clients use the non-standard 'Authorization'
header.
>>>>> $authorization = !empty($serverVars['*REDIRECT_*
>>>>> HTTP_AUTHORIZATION'])
>>>>> ? $serverVars['*REDIRECT_*HTTP_AUTHORIZATION']
>>>>>
>>>>
>>>>
>>>> maybe for outlook we also need to change the file
>>>> /framework/ActiveSync/lib/Horde/ActiveSync/Request/Autodiscover.php as
>>>> well
>>>> *from:*
>>>>
>>>> if (empty($values) && !empty($server['HTTP_AUTHORIZATION']))
{
>>>>>
>>>>> $hash = base64_decode(str_replace('Basic ', '',
>>>>> $server['HTTP_AUTHORIZATION']));
>>>>>
>>>>
>>>>
>>>> *to:*
>>>>
>>>> if (empty($values) &&
>>>>>
>>>>> !empty($server['*REDIRECT_*HTTP_AUTHORIZATION']))
>>>>> {
>>>>> $hash = base64_decode(str_replace('Basic ', '', $server['
>>>>> *REDIRECT_*HTTP_AUTHORIZATION']));
>>>>>
>>>>
>>>>
>>>>
>>>>
>>>> can someone add this to the git branch?
>>>> for example like this: ?
>>>>
>>>> *$http_auth = !empty($server['HTTP_AUTHORIZATION']) ?
>>>>>
>>>>> $server['HTTP_AUTHORIZATION'] :
>>>>> !empty($server['REDIRECT_HTTP_AUTHORIZATION']) ?
>>>>> $server['REDIRECT_HTTP_AUTHORIZATION] : "";*
>>>>> if (empty($values) && !empty(*$http_auth*)) {
>>>>> $hash = base64_decode(str_replace('Basic ', '',
>>>>> *$http_auth*);
>>>>>
>>>>
>>>>
>>>> and the other file like this: ?
>>>>
>>>> * $http_auth = !empty($serverVars['HTTP_AUTHORIZATION']) ?
>>>>
>>>>> $serverVars['HTTP_AUTHORIZATION'] :
>>>>> !empty($serverVars['REDIRECT_HTTP_AUTHORIZATION']) ?
>>>>> $serverVars['REDIRECT_HTTP_AUTHORIZATION'] : "";*
>>>>>
>>>>
>>>> if (!empty($serverVars['PHP_AUTH_PW'])) {
>>>>
>>>>> $user = $serverVars['PHP_AUTH_USER'];
>>>>> $pass = $serverVars['PHP_AUTH_PW'];
>>>>> } elseif (!empty(*$http_auth*) ||
>>>>> !empty($serverVars['Authorization'])) {
>>>>> // Some clients use the non-standard 'Authorization'
header.
>>>>> $authorization = !empty(*$http_auth*)
>>>>> ? *$http_auth*
>>>>> : $serverVars['Authorization'];
>>>>>
>>>>
>>>
>>> No, this can of workaround does not belong in code. You need to ensure
the
>>> auth data is correctly passed in an appropriate environment variable.
This
>>> is already discussed on the wiki page. See
>>> http://wiki.horde.org/ActiveSync
>>>
>>>
>>>
>>>
>>> --
>>> mike
>>> The Horde Project
>>> http://www.horde.org
>>> https://www.facebook.com/hordeproject
>>> https://www.twitter.com/hordeproject
>>>
>>> --
>>> Horde mailing list
>>> Frequently Asked Questions: http://horde.org/faq/
>>> To unsubscribe, mail: horde-unsubscribe at lists.horde.org
>>>
>>>
>>
>> if that (workaround) (in fact it is a redirect feature from apache 2 that
>> you cannot control untill you have access to the apache server..., )
>
>
> So, you cannot set those directives in an .htaccess file? If not, how did
you configure the redirects needed for ActiveSync in the first place?
>
>
>> (HTTP_
>> is a prefix feature too...)
>> does not belong in code...
>> how come, the same code/workaround is available in the files
>> */libs/Sabre/HTTP/BasicAuth.php* and */libs/Sabre/HTTP/DigestAuth.php* ?
>
>
> That is a third party library that we bundle. They chose to include it -
that is their decision. We explicitly check for the HTTP_AUTHORIZATION
environment variable in code - as many other PHP framework libraries do,
including ZF. A quick google search will so the same .htaccess
configuration suggested.
>
>
>
>> are you saying that horde is not made for running on managed webhosting
>> packages?
>
>
> No, not at all. I'm saying you do need some minimum amount of
configuration ability though.
>
>
>
>
> --
> mike
> The Horde Project
> http://www.horde.org
> https://www.facebook.com/hordeproject
> https://www.twitter.com/hordeproject
>
> --
> Horde mailing list
> Frequently Asked Questions: http://horde.org/faq/
> To unsubscribe, mail: horde-unsubscribe at lists.horde.org
>
I did not say that i cannot change things. I am able to use .htaccess
And as you mentioned, horde web is running because of those settings.
Here is the Autorization line:
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
And when i do var_dump($_SERVER); i get that var but with the prefix
REDIRECT_
More information about the horde
mailing list