[horde] ActiveSync not authenticating - 401 Unauthorized

OnkelM onkelm08 at gmail.com
Wed Jun 10 16:29:21 UTC 2015


2015-06-10 14:58 GMT+02:00 Michael J Rubinsky <mrubinsk at horde.org>:

>
> Quoting OnkelM <onkelm08 at gmail.com>:
>
>  Am 09.06.2015 10:44 nachm. schrieb "Michael J Rubinsky" <
>> mrubinsk at horde.org
>>
>>> :
>>>
>>>
>>> Quoting OnkelM <onkelm08 at gmail.com>:
>>>
>>>  2015-06-09 18:40 GMT+02:00 Michael J Rubinsky <mrubinsk at horde.org>:
>>>>
>>>>
>>>>> Quoting OnkelM <onkelm08 at gmail.com>:
>>>>>
>>>>>  2015-06-08 22:34 GMT+02:00 Michael J Rubinsky <mrubinsk at horde.org>:
>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>  Quoting OnkelM <onkelm08 at gmail.com>:
>>>>>>>
>>>>>>>  Am 08.06.2015 9:45 nachm. schrieb "Michael J Rubinsky" <
>>>>>>>
>>>>>>>  mrubinsk at horde.org>:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>> Quoting OnkelM <onkelm08 at gmail.com>:
>>>>>>>>>
>>>>>>>>>  2015-06-08 21:19 GMT+02:00 Michael J Rubinsky <mrubinsk at horde.org
>>>>>>>>> >:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>  Quoting OnkelM <onkelm08 at gmail.com>:
>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>  Hi Michael,
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>> here is my config:
>>>>>>>>>>>>
>>>>>>>>>>>>  $conf['auth']['params']['app'] = 'imp';
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>  $conf['activesync']['auth']['type'] = 'basic';
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> $conf['activesync']['autodiscovery'] = 'full';
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>  Does your auth backend require full email addresses as
>>>>>>>>>>>>
>>>>>>>>>>> usernames?
>>
>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>  $conf['activesync']['enabled'] = true;
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> i am not using auth hooks, only the default settings
>>>>>>>>>>>>
>>>>>>>>>>>> so... where should is start to track it down? how?
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> Gruß
>>>>>>>>>>>>
>>>>>>>>>>>> 2015-06-08 20:39 GMT+02:00 Michael J Rubinsky <
>>>>>>>>>>>> mrubinsk at horde.org
>>>>>>>>>>>>
>>>>>>>>>>> :
>>>
>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>  Quoting OnkelM <onkelm08 at gmail.com>:
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>>  Hello,
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>  how is this happening? I made the following test request:
>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> POST https://horde-host/Microsoft-Server-ActiveSync
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>  ?DeviceType=WP8&Cmd=Provision&DeviceId=12345678901
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> HEADERS
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> *Accept:* */*
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> *Accept-Encoding:* gzip, deflate
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> *Accept-Language:* de
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> *Authorization:* Basic
>>>>>>>>>>>>>>> YWRtaW5Ab25rZWxtLmNvbTpCZDMwMDQ4NCM5NjQ0MA==
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> *Cache-Control:* no-cache
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> *Connection:* Keep-Alive
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> *Content-Length:* 600
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> *Content-Type:* application/vnd.ms-sync.wbxml
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> *Host:* horde-host
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> *Ms-Asprotocolversion:* 14.0
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> *User-Agent:* runscope/0.1,ASOM
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> *X-Ms-Policykey:* 0
>>>>>>>>>>>>>>> QUERYSTRING
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> *Cmd:* Provision
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> *DeviceId:* 12345678901
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> *DeviceType:* WP8
>>>>>>>>>>>>>>> BODY
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> <?xml version="1.0" encoding="utf-8" ?><Provision
>>>>>>>>>>>>>>>   xmlns="Provision:">
>>>>>>>>>>>>>>>   <DeviceInformation
>>>>>>>>>>>>>>>     xmlns="Settings:">
>>>>>>>>>>>>>>>     <Set>
>>>>>>>>>>>>>>>       <Model>RM-821_eu_euro2_248</Model>
>>>>>>>>>>>>>>>       <IMEI>imeiimeiimeiimeiimei</IMEI>
>>>>>>>>>>>>>>>       <FriendlyName>Lumia 920</FriendlyName>
>>>>>>>>>>>>>>>       <OS>Windows Phone 8.0.9903</OS>
>>>>>>>>>>>>>>>       <OSLanguage>German</OSLanguage>
>>>>>>>>>>>>>>>       <PhoneNumber>+0152xxxxxxxx</PhoneNumber>
>>>>>>>>>>>>>>>       <UserAgent>MSFT-WP/8.0.9903</UserAgent>
>>>>>>>>>>>>>>>       <EnableOutboundSMS>0</EnableOutboundSMS>
>>>>>>>>>>>>>>>     </Set>
>>>>>>>>>>>>>>>   </DeviceInformation>
>>>>>>>>>>>>>>>   <Policies>
>>>>>>>>>>>>>>>     <Policy>
>>>>>>>>>>>>>>>       <PolicyType>MS-EAS-Provisioning-WBXML</PolicyType>
>>>>>>>>>>>>>>>     </Policy>
>>>>>>>>>>>>>>>   </Policies></Provision>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>  And Horde is answering this:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>   401 Unauthorized
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>   HEADERS
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>   *Allow:* OPTIONS,POST
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> *Cache-Control:* private, max-age=10800, pre-check=10800
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> *Connection:* Keep-Alive
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> *Content-Encoding:* gzip
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> *Content-Type:* text/html
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> *Date:* Mon, 08 Jun 2015 18:17:07 GMT
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> *Expires:* Thu, 19 Nov 1981 08:52:00 GMT
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> *Keep-Alive:* timeout=2, max=1000
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> *Last-Modified:* Fri, 05 Jun 2015 15:28:26 GMT
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> *Ms-Asprotocolcommands:*
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>
>> Sync,SendMail,SmartForward,SmartReply,GetAttachment,GetHierarchy,CreateCollection,DeleteCollection,MoveCollection,FolderSync,FolderCreate,FolderDelete,FolderUpdate,MoveItems,GetItemEstimate,MeetingResponse,Search,Settings,Ping,ItemOperations,Provision,ResolveRecipients,ValidateCert
>>
>>>
>>>>>>>>
>>>>>>>>   *Ms-Asprotocolversions:* 2.5,12.0,12.1,14.0,14.1
>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> *Ms-Server-Activesync:* 14.2
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> *Public:* OPTIONS,POST
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> *Server:* Apache
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> *Set-Cookie:* PHPSESSID=8f3379819e428da3e5e28cf0b60c872c;
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>> path=/
>>
>>>
>>>>>>>>>>>>>>> *Transfer-Encoding:* chunked
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> *Vary:* Accept-Encoding
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> *Www-Authenticate:* Basic realm="Horde ActiveSync"
>>>>>>>>>>>>>>> BODY
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> (empty)
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>  Why is Horde not accepting my login ?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>  Could be a number of reasons: Misconfigured ActiveSync
>>>>>>>>>>>>>>
>>>>>>>>>>>>> settings
>>
>>>
>>>>>>>>>>>>>>  (configured to use full email address as username but only
>>>>>>>>>>>>>
>>>>>>>>>>>> sending
>>
>>> username, or the reverse), misconfigured auth hooks, x509 cert
>>>>>>>>>>>>> misuse/configuration etc...
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> --
>>>>>>>>>>>>> mike
>>>>>>>>>>>>> The Horde Project
>>>>>>>>>>>>> http://www.horde.org
>>>>>>>>>>>>> https://www.facebook.com/hordeproject
>>>>>>>>>>>>> https://www.twitter.com/hordeproject
>>>>>>>>>>>>>
>>>>>>>>>>>>> --
>>>>>>>>>>>>> Horde mailing list
>>>>>>>>>>>>> Frequently Asked Questions: http://horde.org/faq/
>>>>>>>>>>>>> To unsubscribe, mail: horde-unsubscribe at lists.horde.org
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>  --
>>>>>>>>>>> mike
>>>>>>>>>>> The Horde Project
>>>>>>>>>>> http://www.horde.org
>>>>>>>>>>> https://www.facebook.com/hordeproject
>>>>>>>>>>> https://www.twitter.com/hordeproject
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> Horde mailing list
>>>>>>>>>>> Frequently Asked Questions: http://horde.org/faq/
>>>>>>>>>>> To unsubscribe, mail: horde-unsubscribe at lists.horde.org
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>  Does your auth backend require full email addresses as
>>>>>>>>>>> usernames?
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> do you mean the horde setting or the imap login?
>>>>>>>>>> horde is configured to use full email address with @ and host,
>>>>>>>>>> tried to login to my imap server with the full email address as
>>>>>>>>>> username
>>>>>>>>>> and password and it worked
>>>>>>>>>> i can login to webmail in horde with the full email address as the
>>>>>>>>>> login
>>>>>>>>>> name and the password.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>> ...and this is what you have explicitly typed into the ActiveSync
>>>>>>>>> client?
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> mike
>>>>>>>>> The Horde Project
>>>>>>>>> http://www.horde.org
>>>>>>>>> https://www.facebook.com/hordeproject
>>>>>>>>> https://www.twitter.com/hordeproject
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Horde mailing list
>>>>>>>>> Frequently Asked Questions: http://horde.org/faq/
>>>>>>>>> To unsubscribe, mail: horde-unsubscribe at lists.horde.org
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>  Sure i did it. I made sure i typed the username and password
>>>>>>>>>
>>>>>>>> correctly
>>
>>>
>>>>>>>> letter by letter.
>>>>>>>>
>>>>>>>>
>>>>>>>>  Then you are going to have to find out why Horde isn't receiving
>>>>>>> the
>>>>>>> correct password. Other possibilities are that the user in question
>>>>>>> doesn't
>>>>>>> have permissions to use ActiveSync - you can check this in the
>>>>>>> administrative permissions interface. Check the Horde log for any
>>>>>>>
>>>>>> hints
>>
>>> as
>>>>>>> well.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> mike
>>>>>>> The Horde Project
>>>>>>> http://www.horde.org
>>>>>>> https://www.facebook.com/hordeproject
>>>>>>> https://www.twitter.com/hordeproject
>>>>>>>
>>>>>>> --
>>>>>>> Horde mailing list
>>>>>>> Frequently Asked Questions: http://horde.org/faq/
>>>>>>> To unsubscribe, mail: horde-unsubscribe at lists.horde.org
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>  Found the problem. It was indeed the mod_rewrite Prefix "REDIRECT_".
>>>>>>
>>>>>> Have to change the file*
>>>>>> /framework/ActiveSync/lib/Horde/ActiveSync/Credentials.php*
>>>>>> *from:*
>>>>>>
>>>>>>          } elseif (!empty($serverVars['HTTP_AUTHORIZATION']) ||
>>>>>>
>>>>>>>
>>>>>>> !empty($serverVars['Authorization'])) {
>>>>>>>             // Some clients use the non-standard 'Authorization'
>>>>>>>
>>>>>> header.
>>
>>>             $authorization = !empty($serverVars['HTTP_AUTHORIZATION'])
>>>>>>>                 ? $serverVars['HTTP_AUTHORIZATION']
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> *to:*
>>>>>>
>>>>>>          } elseif
>>>>>>
>>>>> (!empty($serverVars['*REDIRECT_*HTTP_AUTHORIZATION']) ||
>>
>>>
>>>>>>> !empty($serverVars['Authorization'])) {
>>>>>>>             // Some clients use the non-standard 'Authorization'
>>>>>>>
>>>>>> header.
>>
>>>             $authorization = !empty($serverVars['*REDIRECT_*
>>>>>>> HTTP_AUTHORIZATION'])
>>>>>>>                 ? $serverVars['*REDIRECT_*HTTP_AUTHORIZATION']
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> maybe for outlook we also need to change the file
>>>>>> /framework/ActiveSync/lib/Horde/ActiveSync/Request/Autodiscover.php as
>>>>>> well
>>>>>> *from:*
>>>>>>
>>>>>>           if (empty($values) && !empty($server['HTTP_AUTHORIZATION']))
>>>>>>
>>>>> {
>>
>>>
>>>>>>>             $hash = base64_decode(str_replace('Basic ', '',
>>>>>>> $server['HTTP_AUTHORIZATION']));
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> *to:*
>>>>>>
>>>>>>          if (empty($values) &&
>>>>>>
>>>>>>>
>>>>>>> !empty($server['*REDIRECT_*HTTP_AUTHORIZATION']))
>>>>>>> {
>>>>>>>             $hash = base64_decode(str_replace('Basic ', '', $server['
>>>>>>> *REDIRECT_*HTTP_AUTHORIZATION']));
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> can someone add this to the git branch?
>>>>>> for example like this: ?
>>>>>>
>>>>>>          *$http_auth = !empty($server['HTTP_AUTHORIZATION']) ?
>>>>>>
>>>>>>>
>>>>>>> $server['HTTP_AUTHORIZATION'] :
>>>>>>> !empty($server['REDIRECT_HTTP_AUTHORIZATION']) ?
>>>>>>> $server['REDIRECT_HTTP_AUTHORIZATION] : "";*
>>>>>>>         if (empty($values) && !empty(*$http_auth*)) {
>>>>>>>             $hash = base64_decode(str_replace('Basic ', '',
>>>>>>> *$http_auth*);
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> and the other file like this: ?
>>>>>>
>>>>>>        * $http_auth = !empty($serverVars['HTTP_AUTHORIZATION']) ?
>>>>>>
>>>>>>  $serverVars['HTTP_AUTHORIZATION'] :
>>>>>>> !empty($serverVars['REDIRECT_HTTP_AUTHORIZATION']) ?
>>>>>>> $serverVars['REDIRECT_HTTP_AUTHORIZATION'] : "";*
>>>>>>>
>>>>>>>
>>>>>>         if (!empty($serverVars['PHP_AUTH_PW'])) {
>>>>>>
>>>>>>              $user = $serverVars['PHP_AUTH_USER'];
>>>>>>>             $pass = $serverVars['PHP_AUTH_PW'];
>>>>>>>         } elseif (!empty(*$http_auth*) ||
>>>>>>> !empty($serverVars['Authorization'])) {
>>>>>>>             // Some clients use the non-standard 'Authorization'
>>>>>>>
>>>>>> header.
>>
>>>             $authorization = !empty(*$http_auth*)
>>>>>>>                 ? *$http_auth*
>>>>>>>                 : $serverVars['Authorization'];
>>>>>>>
>>>>>>>
>>>>>>
>>>>> No, this can of workaround does not belong in code. You need to ensure
>>>>>
>>>> the
>>
>>> auth data is correctly passed in an appropriate environment variable.
>>>>>
>>>> This
>>
>>> is already discussed on the wiki page. See
>>>>> http://wiki.horde.org/ActiveSync
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> mike
>>>>> The Horde Project
>>>>> http://www.horde.org
>>>>> https://www.facebook.com/hordeproject
>>>>> https://www.twitter.com/hordeproject
>>>>>
>>>>> --
>>>>> Horde mailing list
>>>>> Frequently Asked Questions: http://horde.org/faq/
>>>>> To unsubscribe, mail: horde-unsubscribe at lists.horde.org
>>>>>
>>>>>
>>>>>
>>>> if that (workaround) (in fact it is a redirect feature from apache 2
>>>> that
>>>> you cannot control untill you have access to the apache server..., )
>>>>
>>>
>>>
>>> So, you cannot set those directives in an .htaccess file? If not, how did
>>>
>> you configure the redirects needed for ActiveSync in the first place?
>>
>>>
>>>
>>>  (HTTP_
>>>> is a prefix feature too...)
>>>> does not belong in code...
>>>> how come, the same code/workaround is available in the files
>>>> */libs/Sabre/HTTP/BasicAuth.php* and */libs/Sabre/HTTP/DigestAuth.php* ?
>>>>
>>>
>>>
>>> That is a third party library that we bundle. They chose to include it -
>>>
>> that is their decision. We explicitly check for the HTTP_AUTHORIZATION
>> environment variable in code - as many other PHP framework libraries do,
>> including ZF. A quick google search will so the same .htaccess
>> configuration suggested.
>>
>>>
>>>
>>>
>>>  are you saying that horde is not made for running on managed webhosting
>>>> packages?
>>>>
>>>
>>>
>>> No, not at all. I'm saying you do need some minimum amount of
>>>
>> configuration ability though.
>>
>>>
>>>
>>>
>>>
>>> --
>>> mike
>>> The Horde Project
>>> http://www.horde.org
>>> https://www.facebook.com/hordeproject
>>> https://www.twitter.com/hordeproject
>>>
>>> --
>>> Horde mailing list
>>> Frequently Asked Questions: http://horde.org/faq/
>>> To unsubscribe, mail: horde-unsubscribe at lists.horde.org
>>>
>>>
>> I did not say that i cannot change things. I am able to use .htaccess
>>
>
> Then I misunderstood your comment, "you cannot control untill you have
> access to the apache server..., )".
>
>
>
>> And as you mentioned, horde web is running because of those settings.
>>
>> Here is the Autorization line:
>>     RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
>>
>> And when i do var_dump($_SERVER); i get that var but with the prefix
>> REDIRECT_
>>
>
> Try:
>
> SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
>
>
>
>
> --
> mike
> The Horde Project
> http://www.horde.org
> https://www.facebook.com/hordeproject
> https://www.twitter.com/hordeproject
>
> --
> Horde mailing list
> Frequently Asked Questions: http://horde.org/faq/
> To unsubscribe, mail: horde-unsubscribe at lists.horde.org
>
>
thanks for you help michael,

tried to add SetEnvIf in .htaccess and did var_dump $_SERVER. Result is

> ["REDIRECT_HTTP_AUTHORIZATION"]=>
> string(0) ""


More information about the horde mailing list