THttpCli and HTTP 1.1 401 Unauthorized

[Mark- 29]

Hello,

 

Delphi 10.2.3, ICS 8.62

 

I am reading the settings from an Axis video camera. The payload is XML.

 

Example URI: root:admin@192.168.8.218:80/onvif/device_service

 

The issue, I form up the message, use PostAsync, the data comes back and all is good.

 

I view the process via Wireshark, I see the “Post” and the reply is “HTTP 1.1 401 Unauthorized” and the reply includes:

[truncated]Authorization: Digest username="root",realm="AXIS_WS_ACCC8EE4F05C",nonce="sgpPo3OzBQA=f77c1448ee4c9dfe2a268b430a4f4ee824f78950",uri="/onvif/device_service",response="909198f352f89203fe5701378e615379",qop=auth,nc=00000001,cnonc

 

Different values each time, same fields.

 

THttpCli sends the post again, including the above information, and the camera returns the data.

 

I have tried many things. Changing the “serverAuth”, no difference.

 

Another program, I view the stream and it does not have the same cycle.

 

I must be missing something. Ideas?

 

Thanks,

 

Mark

Edited November 6, 2020 by Mark-

[Angus Robertson 574]

You should not need to use tools like Wireshark to debug your application, you should add logging into your applications using the onCommand event for data sent and onHeaderData for responses received, this is illustrated in various samples. 

 

Or use the THttpRest component instead which already has this logging.  You should try your URL in the OverbyteIcsHttpRestTst sample and see what happens.

 

Long time since I look at basic authentication which is what you are using, but setting ServerAuth to httpAuthBasic should send the Authorization: Basic xxx header with the initial request, which you can check with your logging.

 

Angus

 

[Mark- 29]

Hello,

 

Thanks for the response.

I had all kinds of logging enabled and I could not see the issue. Wireshark is a good tool for seeing outside the program.

 

> setting ServerAuth to httpAuthBasic

 

I get a 401 error.

 

I guess I will return to logging.

 

Mark

 

Edited November 6, 2020 by Mark-

[Mark- 29]

Hello,

 

> use the THttpRest component

 

The TSslHTTPRest?

 

Altering the URL to remove the username and password made no difference.

 

I added an ICS logger and selected each of the ServerAuth options and all produced the same result. Other than causing a complete failure no change has altered the cycle.

 

Attached is the log file.

 

Cheers,

 

Mark

 

 

logFileICS.txt

[Angus Robertson 574]

Quote

Authorization: Digest username="root",realm="AXIS_WS_ACCC8EE4F05C",

The component is auto selecting httpAuthDigest for which it requires the challenge sent in the 401 response, the component does not have any way of storing the relaam, nonce and other stuff. 

 

Not sure if the same Authorization: header can be used more than once for subsequent requests, never used Digest myself. 

 

You'll need to check Wireshark on the other application to find out where it finds realm, etc, or if it uses a different authentication mechanism.

 

Angus

 

[Mark- 29]

Thanks for the response.

 

> The component is auto selecting httpAuthDigest

 

Yeah and when I select Digest, same 401 result.

 

> Not sure if the same Authorization: header can be used more than once for subsequent requests, never used Digest myself.  

 

Ditto,

 

> You'll need to check Wireshark on the other application to find out where it finds realm, etc, or if it uses a different authentication mechanism.

 

Yeah, my searching found nothing. I suspect I need to check again.

[Angus Robertson 574]

The 401 response is expected for Digest and NTLM, there is a challenge returned, you can never avoid it.  The only issue is if you only need to accept it once.

 

Angus

 

[Mark- 29]

Interesting, thanks.

More dissection planned.

[Mark- 29]

Thanks for the help Angus.

To close this issue.

The issue was the time difference between the camera and the PC. The camera rejects the message if the time difference is greater than about 5 seconds. Solution is to read the time in the camera and adjust the transmitted time stamp. Reading the camera time does not require authentication.

 

If the message sent to the camera contains a certain namespace reference, the camera will switch to attempt a digest authentication after the first failed, ONVIF authentication. While ICS handled the "digest" authentication, flawlessly, the double process was not workable for the design goals.

 

Cheers,

 

Mark