[horde] ActiveSync not authenticating - 401 Unauthorized
Michael J Rubinsky
mrubinsk at horde.org
Wed Jun 10 12:58:09 UTC 2015
Quoting OnkelM <onkelm08 at gmail.com>:
> Am 09.06.2015 10:44 nachm. schrieb "Michael J Rubinsky" <mrubinsk at horde.org
>> :
>>
>>
>> Quoting OnkelM <onkelm08 at gmail.com>:
>>
>>> 2015-06-09 18:40 GMT+02:00 Michael J Rubinsky <mrubinsk at horde.org>:
>>>
>>>>
>>>> Quoting OnkelM <onkelm08 at gmail.com>:
>>>>
>>>> 2015-06-08 22:34 GMT+02:00 Michael J Rubinsky <mrubinsk at horde.org>:
>>>>>
>>>>>
>>>>>
>>>>>> Quoting OnkelM <onkelm08 at gmail.com>:
>>>>>>
>>>>>> Am 08.06.2015 9:45 nachm. schrieb "Michael J Rubinsky" <
>>>>>>
>>>>>>> mrubinsk at horde.org>:
>>>>>>>
>>>>>>>
>>>>>>>>
>>>>>>>> Quoting OnkelM <onkelm08 at gmail.com>:
>>>>>>>>
>>>>>>>> 2015-06-08 21:19 GMT+02:00 Michael J Rubinsky <mrubinsk at horde.org>:
>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Quoting OnkelM <onkelm08 at gmail.com>:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Hi Michael,
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> here is my config:
>>>>>>>>>>>
>>>>>>>>>>> $conf['auth']['params']['app'] = 'imp';
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> $conf['activesync']['auth']['type'] = 'basic';
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> $conf['activesync']['autodiscovery'] = 'full';
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Does your auth backend require full email addresses as
> usernames?
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> $conf['activesync']['enabled'] = true;
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> i am not using auth hooks, only the default settings
>>>>>>>>>>>
>>>>>>>>>>> so... where should is start to track it down? how?
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Gruß
>>>>>>>>>>>
>>>>>>>>>>> 2015-06-08 20:39 GMT+02:00 Michael J Rubinsky <mrubinsk at horde.org
>> :
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Quoting OnkelM <onkelm08 at gmail.com>:
>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> Hello,
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> how is this happening? I made the following test request:
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> POST https://horde-host/Microsoft-Server-ActiveSync
>>>>>>>>>>>>>
>>>>>>>>>>>>> ?DeviceType=WP8&Cmd=Provision&DeviceId=12345678901
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> HEADERS
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> *Accept:* */*
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> *Accept-Encoding:* gzip, deflate
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> *Accept-Language:* de
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> *Authorization:* Basic
>>>>>>>>>>>>>> YWRtaW5Ab25rZWxtLmNvbTpCZDMwMDQ4NCM5NjQ0MA==
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> *Cache-Control:* no-cache
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> *Connection:* Keep-Alive
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> *Content-Length:* 600
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> *Content-Type:* application/vnd.ms-sync.wbxml
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> *Host:* horde-host
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> *Ms-Asprotocolversion:* 14.0
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> *User-Agent:* runscope/0.1,ASOM
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> *X-Ms-Policykey:* 0
>>>>>>>>>>>>>> QUERYSTRING
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> *Cmd:* Provision
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> *DeviceId:* 12345678901
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> *DeviceType:* WP8
>>>>>>>>>>>>>> BODY
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> <?xml version="1.0" encoding="utf-8" ?><Provision
>>>>>>>>>>>>>> xmlns="Provision:">
>>>>>>>>>>>>>> <DeviceInformation
>>>>>>>>>>>>>> xmlns="Settings:">
>>>>>>>>>>>>>> <Set>
>>>>>>>>>>>>>> <Model>RM-821_eu_euro2_248</Model>
>>>>>>>>>>>>>> <IMEI>imeiimeiimeiimeiimei</IMEI>
>>>>>>>>>>>>>> <FriendlyName>Lumia 920</FriendlyName>
>>>>>>>>>>>>>> <OS>Windows Phone 8.0.9903</OS>
>>>>>>>>>>>>>> <OSLanguage>German</OSLanguage>
>>>>>>>>>>>>>> <PhoneNumber>+0152xxxxxxxx</PhoneNumber>
>>>>>>>>>>>>>> <UserAgent>MSFT-WP/8.0.9903</UserAgent>
>>>>>>>>>>>>>> <EnableOutboundSMS>0</EnableOutboundSMS>
>>>>>>>>>>>>>> </Set>
>>>>>>>>>>>>>> </DeviceInformation>
>>>>>>>>>>>>>> <Policies>
>>>>>>>>>>>>>> <Policy>
>>>>>>>>>>>>>> <PolicyType>MS-EAS-Provisioning-WBXML</PolicyType>
>>>>>>>>>>>>>> </Policy>
>>>>>>>>>>>>>> </Policies></Provision>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> And Horde is answering this:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> 401 Unauthorized
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> HEADERS
>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>> *Allow:* OPTIONS,POST
>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> *Cache-Control:* private, max-age=10800, pre-check=10800
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> *Connection:* Keep-Alive
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> *Content-Encoding:* gzip
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> *Content-Type:* text/html
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> *Date:* Mon, 08 Jun 2015 18:17:07 GMT
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> *Expires:* Thu, 19 Nov 1981 08:52:00 GMT
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> *Keep-Alive:* timeout=2, max=1000
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> *Last-Modified:* Fri, 05 Jun 2015 15:28:26 GMT
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> *Ms-Asprotocolcommands:*
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>
> Sync,SendMail,SmartForward,SmartReply,GetAttachment,GetHierarchy,CreateCollection,DeleteCollection,MoveCollection,FolderSync,FolderCreate,FolderDelete,FolderUpdate,MoveItems,GetItemEstimate,MeetingResponse,Search,Settings,Ping,ItemOperations,Provision,ResolveRecipients,ValidateCert
>>>>>>>
>>>>>>>
>>>>>>>> *Ms-Asprotocolversions:* 2.5,12.0,12.1,14.0,14.1
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> *Ms-Server-Activesync:* 14.2
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> *Public:* OPTIONS,POST
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> *Server:* Apache
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> *Set-Cookie:* PHPSESSID=8f3379819e428da3e5e28cf0b60c872c;
> path=/
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> *Transfer-Encoding:* chunked
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> *Vary:* Accept-Encoding
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> *Www-Authenticate:* Basic realm="Horde ActiveSync"
>>>>>>>>>>>>>> BODY
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> (empty)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Why is Horde not accepting my login ?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> Could be a number of reasons: Misconfigured ActiveSync
> settings
>>>>>>>>>>>>>
>>>>>>>>>>>> (configured to use full email address as username but only
> sending
>>>>>>>>>>>> username, or the reverse), misconfigured auth hooks, x509 cert
>>>>>>>>>>>> misuse/configuration etc...
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>>>> mike
>>>>>>>>>>>> The Horde Project
>>>>>>>>>>>> http://www.horde.org
>>>>>>>>>>>> https://www.facebook.com/hordeproject
>>>>>>>>>>>> https://www.twitter.com/hordeproject
>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>>>> Horde mailing list
>>>>>>>>>>>> Frequently Asked Questions: http://horde.org/faq/
>>>>>>>>>>>> To unsubscribe, mail: horde-unsubscribe at lists.horde.org
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> mike
>>>>>>>>>> The Horde Project
>>>>>>>>>> http://www.horde.org
>>>>>>>>>> https://www.facebook.com/hordeproject
>>>>>>>>>> https://www.twitter.com/hordeproject
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Horde mailing list
>>>>>>>>>> Frequently Asked Questions: http://horde.org/faq/
>>>>>>>>>> To unsubscribe, mail: horde-unsubscribe at lists.horde.org
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Does your auth backend require full email addresses as usernames?
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> do you mean the horde setting or the imap login?
>>>>>>>>> horde is configured to use full email address with @ and host,
>>>>>>>>> tried to login to my imap server with the full email address as
>>>>>>>>> username
>>>>>>>>> and password and it worked
>>>>>>>>> i can login to webmail in horde with the full email address as the
>>>>>>>>> login
>>>>>>>>> name and the password.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>> ...and this is what you have explicitly typed into the ActiveSync
>>>>>>>> client?
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> mike
>>>>>>>> The Horde Project
>>>>>>>> http://www.horde.org
>>>>>>>> https://www.facebook.com/hordeproject
>>>>>>>> https://www.twitter.com/hordeproject
>>>>>>>>
>>>>>>>> --
>>>>>>>> Horde mailing list
>>>>>>>> Frequently Asked Questions: http://horde.org/faq/
>>>>>>>> To unsubscribe, mail: horde-unsubscribe at lists.horde.org
>>>>>>>>
>>>>>>>>
>>>>>>>> Sure i did it. I made sure i typed the username and password
> correctly
>>>>>>>
>>>>>>> letter by letter.
>>>>>>>
>>>>>>>
>>>>>> Then you are going to have to find out why Horde isn't receiving the
>>>>>> correct password. Other possibilities are that the user in question
>>>>>> doesn't
>>>>>> have permissions to use ActiveSync - you can check this in the
>>>>>> administrative permissions interface. Check the Horde log for any
> hints
>>>>>> as
>>>>>> well.
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> mike
>>>>>> The Horde Project
>>>>>> http://www.horde.org
>>>>>> https://www.facebook.com/hordeproject
>>>>>> https://www.twitter.com/hordeproject
>>>>>>
>>>>>> --
>>>>>> Horde mailing list
>>>>>> Frequently Asked Questions: http://horde.org/faq/
>>>>>> To unsubscribe, mail: horde-unsubscribe at lists.horde.org
>>>>>>
>>>>>>
>>>>>>
>>>>> Found the problem. It was indeed the mod_rewrite Prefix "REDIRECT_".
>>>>>
>>>>> Have to change the file*
>>>>> /framework/ActiveSync/lib/Horde/ActiveSync/Credentials.php*
>>>>> *from:*
>>>>>
>>>>> } elseif (!empty($serverVars['HTTP_AUTHORIZATION']) ||
>>>>>>
>>>>>> !empty($serverVars['Authorization'])) {
>>>>>> // Some clients use the non-standard 'Authorization'
> header.
>>>>>> $authorization = !empty($serverVars['HTTP_AUTHORIZATION'])
>>>>>> ? $serverVars['HTTP_AUTHORIZATION']
>>>>>>
>>>>>
>>>>>
>>>>> *to:*
>>>>>
>>>>> } elseif
> (!empty($serverVars['*REDIRECT_*HTTP_AUTHORIZATION']) ||
>>>>>>
>>>>>> !empty($serverVars['Authorization'])) {
>>>>>> // Some clients use the non-standard 'Authorization'
> header.
>>>>>> $authorization = !empty($serverVars['*REDIRECT_*
>>>>>> HTTP_AUTHORIZATION'])
>>>>>> ? $serverVars['*REDIRECT_*HTTP_AUTHORIZATION']
>>>>>>
>>>>>
>>>>>
>>>>> maybe for outlook we also need to change the file
>>>>> /framework/ActiveSync/lib/Horde/ActiveSync/Request/Autodiscover.php as
>>>>> well
>>>>> *from:*
>>>>>
>>>>> if (empty($values) && !empty($server['HTTP_AUTHORIZATION']))
> {
>>>>>>
>>>>>> $hash = base64_decode(str_replace('Basic ', '',
>>>>>> $server['HTTP_AUTHORIZATION']));
>>>>>>
>>>>>
>>>>>
>>>>> *to:*
>>>>>
>>>>> if (empty($values) &&
>>>>>>
>>>>>> !empty($server['*REDIRECT_*HTTP_AUTHORIZATION']))
>>>>>> {
>>>>>> $hash = base64_decode(str_replace('Basic ', '', $server['
>>>>>> *REDIRECT_*HTTP_AUTHORIZATION']));
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> can someone add this to the git branch?
>>>>> for example like this: ?
>>>>>
>>>>> *$http_auth = !empty($server['HTTP_AUTHORIZATION']) ?
>>>>>>
>>>>>> $server['HTTP_AUTHORIZATION'] :
>>>>>> !empty($server['REDIRECT_HTTP_AUTHORIZATION']) ?
>>>>>> $server['REDIRECT_HTTP_AUTHORIZATION] : "";*
>>>>>> if (empty($values) && !empty(*$http_auth*)) {
>>>>>> $hash = base64_decode(str_replace('Basic ', '',
>>>>>> *$http_auth*);
>>>>>>
>>>>>
>>>>>
>>>>> and the other file like this: ?
>>>>>
>>>>> * $http_auth = !empty($serverVars['HTTP_AUTHORIZATION']) ?
>>>>>
>>>>>> $serverVars['HTTP_AUTHORIZATION'] :
>>>>>> !empty($serverVars['REDIRECT_HTTP_AUTHORIZATION']) ?
>>>>>> $serverVars['REDIRECT_HTTP_AUTHORIZATION'] : "";*
>>>>>>
>>>>>
>>>>> if (!empty($serverVars['PHP_AUTH_PW'])) {
>>>>>
>>>>>> $user = $serverVars['PHP_AUTH_USER'];
>>>>>> $pass = $serverVars['PHP_AUTH_PW'];
>>>>>> } elseif (!empty(*$http_auth*) ||
>>>>>> !empty($serverVars['Authorization'])) {
>>>>>> // Some clients use the non-standard 'Authorization'
> header.
>>>>>> $authorization = !empty(*$http_auth*)
>>>>>> ? *$http_auth*
>>>>>> : $serverVars['Authorization'];
>>>>>>
>>>>>
>>>>
>>>> No, this can of workaround does not belong in code. You need to ensure
> the
>>>> auth data is correctly passed in an appropriate environment variable.
> This
>>>> is already discussed on the wiki page. See
>>>> http://wiki.horde.org/ActiveSync
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> mike
>>>> The Horde Project
>>>> http://www.horde.org
>>>> https://www.facebook.com/hordeproject
>>>> https://www.twitter.com/hordeproject
>>>>
>>>> --
>>>> Horde mailing list
>>>> Frequently Asked Questions: http://horde.org/faq/
>>>> To unsubscribe, mail: horde-unsubscribe at lists.horde.org
>>>>
>>>>
>>>
>>> if that (workaround) (in fact it is a redirect feature from apache 2 that
>>> you cannot control untill you have access to the apache server..., )
>>
>>
>> So, you cannot set those directives in an .htaccess file? If not, how did
> you configure the redirects needed for ActiveSync in the first place?
>>
>>
>>> (HTTP_
>>> is a prefix feature too...)
>>> does not belong in code...
>>> how come, the same code/workaround is available in the files
>>> */libs/Sabre/HTTP/BasicAuth.php* and */libs/Sabre/HTTP/DigestAuth.php* ?
>>
>>
>> That is a third party library that we bundle. They chose to include it -
> that is their decision. We explicitly check for the HTTP_AUTHORIZATION
> environment variable in code - as many other PHP framework libraries do,
> including ZF. A quick google search will so the same .htaccess
> configuration suggested.
>>
>>
>>
>>> are you saying that horde is not made for running on managed webhosting
>>> packages?
>>
>>
>> No, not at all. I'm saying you do need some minimum amount of
> configuration ability though.
>>
>>
>>
>>
>> --
>> mike
>> The Horde Project
>> http://www.horde.org
>> https://www.facebook.com/hordeproject
>> https://www.twitter.com/hordeproject
>>
>> --
>> Horde mailing list
>> Frequently Asked Questions: http://horde.org/faq/
>> To unsubscribe, mail: horde-unsubscribe at lists.horde.org
>>
>
> I did not say that i cannot change things. I am able to use .htaccess
Then I misunderstood your comment, "you cannot control untill you have
access to the apache server..., )".
>
> And as you mentioned, horde web is running because of those settings.
>
> Here is the Autorization line:
> RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
>
> And when i do var_dump($_SERVER); i get that var but with the prefix
> REDIRECT_
Try:
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
--
mike
The Horde Project
http://www.horde.org
https://www.facebook.com/hordeproject
https://www.twitter.com/hordeproject
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5869 bytes
Desc: S/MIME Signature
URL: <http://lists.horde.org/archives/horde/attachments/20150610/7d10a56d/attachment.bin>
More information about the horde
mailing list