403 recieved on registration.

[ser11]

1. Brekeke Product Name and version: 2.4.8.6

2. Java version:

3. OS type and the version: Win 2000/XP

4. UA (phone), gateway or other hardware/software involved:

5. Select your network pattern from http://www.brekeke-sip.com/bbs/network/ ... terns.html :

6. Your problem:

Sending first Registartion message with authontication header.
The header contains User name,realm and URI.
The same realm is configured at the BSS as well.

When Register message is sent to the BSS, it recives 403 Forbidden instead of 401.

Please advise

Thx

[james]

403 will happen if a realm or/and username are not correct.

Ae you sure you set correct realm and username in Proxy-Authorization or Authorization header?

Also.. if auth's username and From's user-part are not same, 403 will happen.

[ser11]

As described in my first port - ecverything is configured OK.
The only twist we have here is that my client send authorization jeader on the first register message (the unchallenged message). From some reason the Brekeke sends 403 immediatelly, although exopected to send 401.

[taitan]

What kind of SIP client products are you using?
I know some client products are not RFC compliant.

Also have you created a user in the [User Authentication] page?

[Jackpot]

We are having a similar problem.

We have configured the server to have a realm value manually set in the user authentication and/or the domain.

We also turned off auth-From and To in both user authentication and domain.

When this is the case we get a 403 response.

The value of realm set in the fields above is the same as that as in the authorization header realm field of the initial register.

What is causing the 403 response?

sample of initial register below:


Session Initiation Protocol
Request-Line: REGISTER sip:CPname.com:5060 SIP/2.0
Message Header
From: <sip:+441234567890@CPname.com;user=phone>;tag=99daa8-a5cdb2a-13c4-50029-2c-2cdb9c84-2c
To: <sip:+441234567890@CPname.com;user=phone>
Call-ID: 9cc608-a5cdb2a-13c4-50029-2c-6da28c86-2c
CSeq: 1 REGISTER
Via: SIP/2.0/UDP 10.92.219.42:5060;rport;branch=z9hG4bK-2c-adc1-362d1b86
Max-Forwards: 70
Supported: replaces,100rel,timer,path
User-Agent:
Expires: 3600
Contact: <sip:+441234567890@10.92.219.42:5060;transport=UDP>
Authorization: Digest username="+441234567890@CPname.com",realm="CPname.com",nonce="",uri="sip:CPname.com",response=""
Content-Length: 0

[taitan]

What kind of SIP client are you using?

If you use another SIP client such as X-Lite, do you have the same problem?

[hope]

Authorization: Digest username="+441234567890@CPname.com",realm="CPname.com",nonce="",uri="sip:CPname.com",response=""

is the authentication user name "+441234567890@CPname.com" set at Brekeke? or it is +441234567890

[Jackpot]

Hope,

Thanks for your response. We have tried both variables in the user authentication field and get 403 in both cases

[davi]

Why your "User-Agent" header is blank?

[Jackpot]

Dave,

I deleted the header value from the example

[davi]

Why your SIP UA sends REGISTER with Authorization header before the server returns 401?

Do you get the same problem if you use another SIP UA?

[Jackpot]

Davi,

According to 3GPP 24.229 Clause 5.1.1.2.1 the inital Register must contain an authorization header. This is how a UA specifies that does not want to register with a proxy

[davi]

Ask Brekeke's team. they may support 3GPP 24.229.

[james]

Try the DialPlan rule like a below.

----------------------
[Matching Patterns]
$request = ^REGISTER
Authorization = nonce=""

[Deploy Patterns]
Authorization =
$action = register
----------------------

[Jackpot]

James.

Thanks Will do. However, I fail to see why this would prevent the Server from sending a 401 when we spcifiy the realm on the server.

[james]

the reason of 403 in your case is empty "nonce" value.

[Jackpot]

James,

Are you certain? Do you work for Brekeke? Is this what the Server is looking for because if it is it does not comply with 3GPP 24.229.

According to 3GPP the nonce must be empty when sent in the initial REGISTER.

5.1.1.2.3 Initial registration using SIP digest without TLS

On sending a REGISTER request, as defined in subclause 5.1.1.2.1, the UE shall additionally populate the header fields
as follows:

a) an Authorization header field as defined in RFC 2617 [21], with:
- the "username" header field parameter, set to the value of the private user identity;

- the "realm" header field parameter, set to the domain name of the home network;
- the "uri" header field directive, set to the SIP URI of the domain name of the home network;
- the "nonce" header field parameter, set to an empty value; and
- the "response" header field parameter, set to an empty value;

b) the hostport parameter in the Contact header field with the port value of an unprotected port where the UE
expects to receive subsequent requests; and

c) the sent-by field in the Via header field with the port value of an unprotected port where the UE expects to
receive responses to the request.

[james]

Im a Brekeke user.

Have you tried the DialPlan rule I suggested?

[Jackpot]

James,

Yes we diid and as I suspected there was no change.

[james]

I got 401 if I use the DialPlan even if a REGISTER have an empty nonce.

[Jackpot]

James, Thanks for your help. I have had email confirmation from the Brekeke Development team that they are non-compliant to 3GPP 24.229.

[james]

using a plugin, the server can handle any SIP packets.

[james]

Jack, what's your purpose?

Do you just want to get 401 ?
How about the following dialplan rule?
----------------------
[Matching Patterns]
$request = ^REGISTER

[Deploy Patterns]
Authorization =
$action = register
----------------------