Login/Register
ONVIF: Authentication failure with AXIS P3301 using ONVIF protocol
Asked Answered
cameravideo-streamingipspecificationsonvif
S

2

8

After first user was created (in my case with user name “root” and password “root”), AXIS P3301 (firmware 5.11.2) returns NotAuthorized soap fault, for any onvif-request:

<SOAP-ENV:Fault 
    SOAP-ENV:encodingStyle="http://www.w3.org/2003/05/soap-encoding"
    xmlns:SOAP-ENV="http://www.w3.org/2003/05/soap-envelope">
    <SOAP-ENV:Code>
        <SOAP-ENV:Value>SOAP-ENV:Sender</SOAP-ENV:Value>
        <SOAP-ENV:Subcode>
            <SOAP-ENV:Value>ter:NotAuthorized</SOAP-ENV:Value>
        </SOAP-ENV:Subcode>
    </SOAP-ENV:Code>
    <SOAP-ENV:Reason>
        <SOAP-ENV:Text xml:lang="en">Sender not authorized</SOAP-ENV:Text>
    </SOAP-ENV:Reason>
    <SOAP-ENV:Detail>
        The action requested requires authorization and the sender is not authorized
    </SOAP-ENV:Detail>
</SOAP-ENV:Fault>

According to ONVIF specification 1.02, I use user name token profile for authentication which is described in specification http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0.pdf.

Below is the Script that I use to form soap request:

xquery version "1.0";
declare copy-namespaces no-preserve, inherit;
<s:Envelope 
    xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" 
    xmlns:s="http://www.w3.org/2003/05/soap-envelope">

    <s:Header>
        <o:Security
            s:mustUnderstand="true"
            xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">

            <o:UsernameToken u:Id="UsernameToken-3ae8d972-d014-47b0-858b-2364f6119763">
                <o:Username>{model/userName/text()}</o:Username>
                <o:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">
                    {model/passwordDigest/text()}
                </o:Password>
                <o:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">
                    {model/nonce/text()}
                </o:Nonce>
                <u:Created>{model/created/text()}</u:Created>
            </o:UsernameToken>

        </o:Security>
    </s:Header>

    <s:Body>
        <tds:GetDeviceInformation xmlns:tds="http://www.onvif.org/ver10/device/wsdl" />
    </s:Body>

</s:Envelope>

Here is my code for sending request:

static byte[] sha1(params byte[][] parts) {
    var data = parts.Concat().ToArray();
    var hasher = SHA1.Create();
    return hasher.ComputeHash(data);
}

static string userName = "root";
static string password = "root";

static void Main(string[] args) {
    Init();
    var uri = @"http://192.168.5.71/onvif/services";
    var nonce = new byte[] {1,2,3,4};
    var created = System.DateTime.Now.ToUniversalTime().ToString("yyyy-MM-ddThh:mm:ss.fffZ");
    try {
        var body = SendSoapRequest(uri, "GetDeviceInformation.xq", new {
            userName = userName,
            passwordDigest = sha1(
                nonce,
                created.ToUtf8(),
                password.ToUtf8()
            ).ToBase64(),
            nonce = nonce.ToBase64(),
            created = created,
        });

        using (var _w = new XmlTextWriter(Console.Out)) {
            _w.Formatting = Formatting.Indented;
            body.WriteTo(_w);
        }
    }catch(SoapFaultException err){
        var fault = err.fault;
        using (var _w = new XmlTextWriter(Console.Out)) {
            _w.Formatting = Formatting.Indented;
            fault.WriteTo(_w);
        }
    }
}

Wireshark log of request:

<s:Envelope 
    xmlns:s="http://www.w3.org/2003/05/soap-envelope" 
    xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
    <s:Header>
        <o:Security 
            xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" 
            s:mustUnderstand="true">
            <o:UsernameToken u:Id="UsernameToken-3ae8d972-d014-47b0-858b-2364f6119763">
                <o:Username>root</o:Username>
                <o:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">MQ52wETdmCuGHmCsYED3FGrQ0UE=</o:Password>
                <o:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">AQIDBA==</o:Nonce>
                <u:Created>2011-03-03T12:23:28.499Z</u:Created>
            </o:UsernameToken>
        </o:Security>
    </s:Header>
    <s:Body>
        <tds:GetDeviceInformation xmlns:tds="http://www.onvif.org/ver10/device/wsdl" />
    </s:Body>
</s:Envelope>

Wirehark log of response:

<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope 
    xmlns:SOAP-ENV="http://www.w3.org/2003/05/soap-envelope" 
    xmlns:SOAP-ENC="http://www.w3.org/2003/05/soap-encoding" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
    xmlns:xsd="http://www.w3.org/2001/XMLSchema" 
    xmlns:c14n="http://www.w3.org/2001/10/xml-exc-c14n#" 
    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" 
    xmlns:ds="http://www.w3.org/2000/09/xmldsig#" 
    xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" 
    xmlns:wsa5="http://www.w3.org/2005/08/addressing" 
    xmlns:xmime5="http://www.w3.org/2005/05/xmlmime" 
    xmlns:wsrf-bf="http://docs.oasis-open.org/wsrf/bf-2" 
    xmlns:wstop="http://docs.oasis-open.org/wsn/t-1" 
    xmlns:tt="http://www.onvif.org/ver10/schema" 
    xmlns:wsrf-r="http://docs.oasis-open.org/wsrf/r-2" 
    xmlns:tan1="http://www.onvif.org/ver10/analytics/wsdl/RuleEngineBinding" 
    xmlns:tan="http://www.onvif.org/ver10/analytics/wsdl" 
    xmlns:tan2="http://www.onvif.org/ver10/analytics/wsdl/AnalyticsEngineBinding" 
    xmlns:tds="http://www.onvif.org/ver10/device/wsdl" 
    xmlns:tev1="http://www.onvif.org/ver10/events/wsdl/NotificationProducerBinding" 
    xmlns:tev2="http://www.onvif.org/ver10/events/wsdl/EventBinding" 
    xmlns:tev3="http://www.onvif.org/ver10/events/wsdl/SubscriptionManagerBinding" 
    xmlns:wsnt="http://docs.oasis-open.org/wsn/b-2" 
    xmlns:tev4="http://www.onvif.org/ver10/events/wsdl/PullPointSubscriptionBinding" 
    xmlns:tev="http://www.onvif.org/ver10/events/wsdl" 
    xmlns:timg="http://www.onvif.org/ver10/imaging/wsdl" 
    xmlns:tptz="http://www.onvif.org/ver10/ptz/wsdl" 
    xmlns:trt="http://www.onvif.org/ver10/media/wsdl" 
    xmlns:ter="http://www.onvif.org/ver10/error" 
    xmlns:tns1="http://www.onvif.org/ver10/topics" 
    xmlns:tnsaxis="http://www.axis.com/2009/event/topics">

    <SOAP-ENV:Header></SOAP-ENV:Header>
    <SOAP-ENV:Body>
        <SOAP-ENV:Fault SOAP-ENV:encodingStyle="http://www.w3.org/2003/05/soap-encoding">
            <SOAP-ENV:Code>
                <SOAP-ENV:Value>SOAP-ENV:Sender</SOAP-ENV:Value>
                <SOAP-ENV:Subcode>
                    <SOAP-ENV:Value>ter:NotAuthorized</SOAP-ENV:Value>
                </SOAP-ENV:Subcode>
            </SOAP-ENV:Code>
            <SOAP-ENV:Reason>
                <SOAP-ENV:Text xml:lang="en">Sender not authorized</SOAP-ENV:Text>
            </SOAP-ENV:Reason>
            <SOAP-ENV:Detail>The action requested requires authorization and the sender is not authorized</SOAP-ENV:Detail>
        </SOAP-ENV:Fault>
    </SOAP-ENV:Body>
</SOAP-ENV:Envelope>

Where I was wrong? (With Bosch VIP X1 XF IVA it works)

Schug answered 3/3, 2011 at 11:36 Comment(6)
After long discussion with guys from AXIS, they approved that it's bug. As they clarify, this incorrect behavior is influenced by wrong timestamp synchronization. This type of synchronization is needed for replay attack protection. This requires that the device and client have synchronized time. ONVIF does not specify the allowed time difference, but Axis uses 5 seconds by default. But it does not work well in version 5.11.2. They asserted that it will be fixed in next firmware version 5.20 which should be available in the next few days.Schug
Also in 5.20 version it will be possible to disable replay-attack protection in Axis devices. This can be done using web interface: (Setup>SystemOptions>Advanced>PlainConfig>Webservice> "Enable replay attack protection")Schug
andrey.ko -- could you please provide me with some contact details where I can reach you for some follow-ups ?Cotoneaster
The ONVIF Application Porgrammers Guide (v1.0 May 2011, section 5.1.3) suggests that the time window be 5 seconds, and also says that the GetSystemDateAndTime should not require authentication. That way you can verify you have a valid XAddr and find out if there are time sync issues. Section 6.1.2 suggests synchronizing time before adding the first admin user. (: assuming it is not too late. :)Sibella
@Schug thank you very much, you saved me hours a research !Prorate
I just had the exact same issue with a very recent firmware (8.40.3.1), the solution pointed by @Schug helped me !Prorate
C
1

I don't see where you specify the "tds" namespace (which should be "http://www.onvif.org/ver10/device/wsdl") in your soap envelope. I had the same problem: a typo in my request, and my camera answered with "http 401 not authorized".

Centro answered 24/1, 2014 at 19:42 Comment(0)
F
0

It seems, your camera supports WSS Username Token authentication, but you have specified wrong username/password. I had the same issue with AXIS P3905. The right credentials solved my problem

Franklin answered 7/2, 2021 at 17:47 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.