Author |
Message |
ser11 Brekeke Newbie
Joined: 24 Jan 2012 Posts: 2
|
Posted: Tue Jan 24, 2012 3:30 am Post subject: 403 recieved on registration. |
|
|
1. Brekeke Product Name and version: 2.4.8.6
2. Java version:
3. OS type and the version: Win 2000/XP
4. UA (phone), gateway or other hardware/software involved:
5. Select your network pattern from http://www.brekeke-sip.com/bbs/network/networkpatterns.html :
6. Your problem:
Sending first Registartion message with authontication header.
The header contains User name,realm and URI.
The same realm is configured at the BSS as well.
When Register message is sent to the BSS, it recives 403 Forbidden instead of 401.
Please advise
Thx |
|
Back to top |
|
james Brekeke Master Guru
Joined: 10 Dec 2007 Posts: 501
|
Posted: Tue Jan 24, 2012 10:36 am Post subject: |
|
|
403 will happen if a realm or/and username are not correct.
Ae you sure you set correct realm and username in Proxy-Authorization or Authorization header?
Also.. if auth's username and From's user-part are not same, 403 will happen. |
|
Back to top |
|
ser11 Brekeke Newbie
Joined: 24 Jan 2012 Posts: 2
|
Posted: Mon Jan 30, 2012 12:35 am Post subject: |
|
|
As described in my first port - ecverything is configured OK.
The only twist we have here is that my client send authorization jeader on the first register message (the unchallenged message). From some reason the Brekeke sends 403 immediatelly, although exopected to send 401. |
|
Back to top |
|
taitan Brekeke Master Guru
Joined: 15 Mar 2008 Posts: 237
|
Posted: Mon Jan 30, 2012 10:05 am Post subject: |
|
|
What kind of SIP client products are you using?
I know some client products are not RFC compliant.
Also have you created a user in the [User Authentication] page? |
|
Back to top |
|
Jackpot Brekeke Junior Member
Joined: 30 Jan 2012 Posts: 9
|
Posted: Tue Jan 31, 2012 4:37 am Post subject: |
|
|
We are having a similar problem.
We have configured the server to have a realm value manually set in the user authentication and/or the domain.
We also turned off auth-From and To in both user authentication and domain.
When this is the case we get a 403 response.
The value of realm set in the fields above is the same as that as in the authorization header realm field of the initial register.
What is causing the 403 response?
sample of initial register below:
Session Initiation Protocol
Request-Line: REGISTER sip:CPname.com:5060 SIP/2.0
Message Header
From: <sip:+441234567890@CPname.com;user=phone>;tag=99daa8-a5cdb2a-13c4-50029-2c-2cdb9c84-2c
To: <sip:+441234567890@CPname.com;user=phone>
Call-ID: 9cc608-a5cdb2a-13c4-50029-2c-6da28c86-2c
CSeq: 1 REGISTER
Via: SIP/2.0/UDP 10.92.219.42:5060;rport;branch=z9hG4bK-2c-adc1-362d1b86
Max-Forwards: 70
Supported: replaces,100rel,timer,path
User-Agent:
Expires: 3600
Contact: <sip:+441234567890@10.92.219.42:5060;transport=UDP>
Authorization: Digest username="+441234567890@CPname.com",realm="CPname.com",nonce="",uri="sip:CPname.com",response=""
Content-Length: 0 |
|
Back to top |
|
taitan Brekeke Master Guru
Joined: 15 Mar 2008 Posts: 237
|
Posted: Tue Jan 31, 2012 10:47 am Post subject: |
|
|
What kind of SIP client are you using?
If you use another SIP client such as X-Lite, do you have the same problem? |
|
Back to top |
|
hope Brekeke Master Guru
Joined: 15 Jan 2008 Posts: 862
|
Posted: Tue Jan 31, 2012 11:00 am Post subject: |
|
|
Quote: |
Authorization: Digest username="+441234567890@CPname.com",realm="CPname.com",nonce="",uri="sip:CPname.com",response="" |
is the authentication user name "+441234567890@CPname.com" set at Brekeke? or it is +441234567890 |
|
Back to top |
|
Jackpot Brekeke Junior Member
Joined: 30 Jan 2012 Posts: 9
|
Posted: Wed Feb 01, 2012 4:27 am Post subject: |
|
|
Hope,
Thanks for your response. We have tried both variables in the user authentication field and get 403 in both cases |
|
Back to top |
|
davi Brekeke Addict
Joined: 26 Jan 2011 Posts: 34
|
Posted: Wed Feb 01, 2012 11:22 am Post subject: |
|
|
Why your "User-Agent" header is blank? |
|
Back to top |
|
Jackpot Brekeke Junior Member
Joined: 30 Jan 2012 Posts: 9
|
Posted: Thu Feb 02, 2012 2:52 am Post subject: |
|
|
Dave,
I deleted the header value from the example |
|
Back to top |
|
davi Brekeke Addict
Joined: 26 Jan 2011 Posts: 34
|
Posted: Thu Feb 02, 2012 10:36 am Post subject: |
|
|
Why your SIP UA sends REGISTER with Authorization header before the server returns 401?
Do you get the same problem if you use another SIP UA? |
|
Back to top |
|
Jackpot Brekeke Junior Member
Joined: 30 Jan 2012 Posts: 9
|
Posted: Thu Feb 02, 2012 12:11 pm Post subject: |
|
|
Davi,
According to 3GPP 24.229 Clause 5.1.1.2.1 the inital Register must contain an authorization header. This is how a UA specifies that does not want to register with a proxy |
|
Back to top |
|
davi Brekeke Addict
Joined: 26 Jan 2011 Posts: 34
|
Posted: Thu Feb 02, 2012 1:17 pm Post subject: |
|
|
Ask Brekeke's team. they may support 3GPP 24.229. |
|
Back to top |
|
james Brekeke Master Guru
Joined: 10 Dec 2007 Posts: 501
|
Posted: Thu Feb 02, 2012 2:12 pm Post subject: |
|
|
Try the DialPlan rule like a below.
Matching Patterns | $request = ^REGISTER Authorization = nonce=""
| Deploy Patterns | Authorization = $action = register
|
|
|
Back to top |
|
Jackpot Brekeke Junior Member
Joined: 30 Jan 2012 Posts: 9
|
Posted: Fri Feb 03, 2012 2:43 am Post subject: |
|
|
James.
Thanks Will do. However, I fail to see why this would prevent the Server from sending a 401 when we spcifiy the realm on the server. |
|
Back to top |
|
james Brekeke Master Guru
Joined: 10 Dec 2007 Posts: 501
|
Posted: Fri Feb 03, 2012 10:18 am Post subject: |
|
|
the reason of 403 in your case is empty "nonce" value. |
|
Back to top |
|
Jackpot Brekeke Junior Member
Joined: 30 Jan 2012 Posts: 9
|
Posted: Fri Feb 03, 2012 1:39 pm Post subject: |
|
|
James,
Are you certain? Do you work for Brekeke? Is this what the Server is looking for because if it is it does not comply with 3GPP 24.229.
According to 3GPP the nonce must be empty when sent in the initial REGISTER.
5.1.1.2.3 Initial registration using SIP digest without TLS
On sending a REGISTER request, as defined in subclause 5.1.1.2.1, the UE shall additionally populate the header fields
as follows:
a) an Authorization header field as defined in RFC 2617 [21], with:
- the "username" header field parameter, set to the value of the private user identity;
- the "realm" header field parameter, set to the domain name of the home network;
- the "uri" header field directive, set to the SIP URI of the domain name of the home network;
- the "nonce" header field parameter, set to an empty value; and
- the "response" header field parameter, set to an empty value;
b) the hostport parameter in the Contact header field with the port value of an unprotected port where the UE
expects to receive subsequent requests; and
c) the sent-by field in the Via header field with the port value of an unprotected port where the UE expects to
receive responses to the request. |
|
Back to top |
|
james Brekeke Master Guru
Joined: 10 Dec 2007 Posts: 501
|
Posted: Mon Feb 06, 2012 10:56 am Post subject: |
|
|
Im a Brekeke user.
Have you tried the DialPlan rule I suggested? |
|
Back to top |
|
Jackpot Brekeke Junior Member
Joined: 30 Jan 2012 Posts: 9
|
Posted: Tue Feb 07, 2012 2:53 am Post subject: |
|
|
James,
Yes we diid and as I suspected there was no change. |
|
Back to top |
|
james Brekeke Master Guru
Joined: 10 Dec 2007 Posts: 501
|
Posted: Tue Feb 07, 2012 3:01 pm Post subject: |
|
|
I got 401 if I use the DialPlan even if a REGISTER have an empty nonce. |
|
Back to top |
|
Jackpot Brekeke Junior Member
Joined: 30 Jan 2012 Posts: 9
|
Posted: Wed Feb 08, 2012 2:31 am Post subject: |
|
|
James, Thanks for your help. I have had email confirmation from the Brekeke Development team that they are non-compliant to 3GPP 24.229. |
|
Back to top |
|
james Brekeke Master Guru
Joined: 10 Dec 2007 Posts: 501
|
Posted: Wed Feb 08, 2012 11:12 am Post subject: |
|
|
using a plugin, the server can handle any SIP packets. |
|
Back to top |
|
james Brekeke Master Guru
Joined: 10 Dec 2007 Posts: 501
|
Posted: Wed Feb 08, 2012 1:35 pm Post subject: |
|
|
Jack, what's your purpose?
Do you just want to get 401 ?
How about the following dialplan rule?
Matching Patterns | $request = ^REGISTER
| Deploy Patterns | Authorization = $action = register
|
|
|
Back to top |
|
|