Hi Josep,
When a request is challenged with 407 (containing proxy-authenticate header), the request should be re-submitted with proxy-authorization header. Please refer the following section is RFC-3261: 22.3 Proxy-to-User Authentication Similarly, when a UAC sends a request to a proxy server, the proxy server MAY authenticate the originator before the request is processed. If no credentials (in the Proxy-Authorization header field) are provided in the request, the proxy can challenge the originator to provide credentials by rejecting the request with a 407 (Proxy Authentication Required) status code. The proxy MUST populate the 407 (Proxy Authentication Required) message with a Proxy- Authenticate header field value applicable to the proxy for the requested resource. The use of Proxy-Authenticate and Proxy-Authorization parallel that described in [17], with one difference. Proxies MUST NOT add values to the Proxy-Authorization header field. All 407 (Proxy Authentication Required) responses MUST be forwarded upstream toward the UAC following the procedures for any other response. It is the UAC's responsibility to add the Proxy-Authorization header field value containing credentials for the realm of the proxy that has asked for authentication. If a proxy were to resubmit a request adding a Proxy-Authorization header field value, it would need to increment the CSeq in the new request. However, this would cause the UAC that submitted the original request to discard a response from the UAS, as the CSeq value would be different. In your scenario, proxy-authorization header in INVITE request should be sent after challenge with 407 response. Thanks, Alok Tiwari Aricent -----Original Message----- From: sip-implementors-boun...@lists.cs.columbia.edu [mailto:sip-implementors-boun...@lists.cs.columbia.edu] On Behalf Of Josep Benavent Sent: Thursday, January 14, 2010 4:44 PM To: sip-implementors@lists.cs.columbia.edu Subject: [Sip-implementors] 407 Authentication failure Hello, I'm developing a UA using JAIN-SIP that connect to Asterisk server and I can't complete an INVITE process correctly. The dialogue I implemented is: 1. Send register 2. Received a trying and a 401 Unauthorized 3. I send a register again with the authorization header (with the nonce and the response fields ) 4. Received a TRYING and a 200 OK messages. At this point, I received some UDP packets from the SER continuously (I suppose I had registered correctly). Now, I send and INVITE message (without authorization header) and I receive a 407 Authentication failure message. I send an ACK and again an INVITE message now, with authorization header (response) and using the nonce I received in the last 407 message, but I always receive again 407 message as response from the server. I detail the authorization headers following: *Authorization header in 407 message:* Proxy-Authenticate: Digest realm="i2cat.net", nonce="4b4ef99f88dede8c57be94d4c63464f9d268fbc5" *Authorization header in INVITE message:* Authorization: Digest username="josep.benavent",realm="i2cat.net ",nonce="4b4ef99f88dede8c57be94d4c63464f9d268fbc5",uri=" sip:xavier.ca...@i2cat.net <sip%3axavier.ca...@i2cat.net> ",response="d6b6a75c32bc237984f03ffb26d9d745",algorithm=MD5 (I incremented de CSeq number correctly with each INVITE message). OK, I suppose my error is in the function that creates the response with a nonce value in the INVITE message, I detail following: MessageDigestAlgorithm digest = new MessageDigestAlgorithm(); String responseCode = digest.calculateResponse("MD5", this.user, response.getRealm(), this.pwd, response.getNonce(), null, null, Request.INVITE,uri.toString(), null, null); (Variables values are that you can see in the Authorization header in INVITE message detail). Does any body know what are the values I need to create a correct responseCode? I also tried to include a Cnonce value in the digest.calculateResponse function with any result. Any idea will be welcome. Thank you for your attention, Josep Benavent _______________________________________________ Sip-implementors mailing list Sip-implementors@lists.cs.columbia.edu https://lists.cs.columbia.edu/cucslists/listinfo/sip-implementors ________________________________ "DISCLAIMER: This message is proprietary to Aricent and is intended solely for the use of the individual to whom it is addressed. It may contain privileged or confidential information and should not be circulated or used for any purpose other than for what it is intended. If you have received this message in error, please notify the originator immediately. If you are not the intended recipient, you are notified that you are strictly prohibited from using, copying, altering, or disclosing the contents of this message. Aricent accepts no responsibility for loss or damage arising from the use of the information transmitted by this email including damage from virus." _______________________________________________ Sip-implementors mailing list Sip-implementors@lists.cs.columbia.edu https://lists.cs.columbia.edu/cucslists/listinfo/sip-implementors