Apache 2.4 "..authentication failure..:Password Mismatch"
Asked Answered
V

4

12

I am running Apache 2.4 in Windows Server 2008 R2. I am attempting to password protect a subdirectory and successfully did so in Apache 2.0. After upgrading I took Apache's advice and am attempting to put the authentication config in httpd.config. I am allowing the reading of the password file and everything appears to be in order, but when I test it I get the following error:

[Mon Apr 01 19:58:36.438476 2013] [auth_basic:error] [pid 3984:tid 788] [client xxx.yyy.254.2:49253] AH01617: user master: authentication failure for "/restricted/file.zip": Password Mismatch

However, I know that I am sending the correct password. See below for my config, any comments are helpful.

<Directory "C:/www/mydir/restricted">
    #AllowOverride AuthConfig
    #Order allow,deny
    #Allow from all
    AuthType Basic
    AuthName Restricted
    AuthUserFile "C:/www/mydir/passwords/pass"
    Require valid-user
</Directory>  
<Directory "C:/www/mydir">
    Require all granted
</Directory>  
<VirtualHost *:80>
    ServerAdmin [email protected]
    DocumentRoot "C:/www/mydir"
    ServerName "fakeurl.com"
    ErrorLog "C:/www/mydir/logs/error.log"
    CustomLog "C:/www/mydir/logs/accesslog/access.log" common
</VirtualHost>  
<VirtualHost *:80>
    ServerAdmin [email protected]
    DocumentRoot "C:/www/mydir"
    ServerName "www.fakeurl.com"
    ErrorLog "C:/www/mydir/logs/error.log"
    CustomLog "C:/www/mydir/logs/accesslog/access.log" common
</VirtualHost>
Venerate answered 1/4, 2013 at 20:26 Comment(0)
A
26

I just had the same issue, was driving me nuts for the last hour. I can confirm that Steve's suggestion to enter the password in the command line works - so in my case "htpasswd -b passwordfile user password" did the trick.

Here is the relevant bug report at Apache.

Agape answered 4/4, 2013 at 1:4 Comment(2)
Instead of duplicating an answer, it would have been better to simply vote or comment on Steve's.Ark
@NickM I agree, a comment would have been more appropriate. Unfortunately I didn't have enough credit at the time to comment in StackOverflow and felt it would be good to add the actual command that worked for me and a link to the bug report.Agape
V
22

Did you create your password with 'htpasswd'?

htpasswd in httpd-2.4.4 is broken (https://issues.apache.org/bugzilla/show_bug.cgi?id=54735).

As I understand it, the problem is specific to htpasswd in httpd-2.4.4, and only occurs if you enter the password manually, so you can work around the issue by doing one of:

  • supply the password on the command line (e.g. "htpasswd -b .htpasswd user password");
  • use the version of htpasswd out of httpd-2.4.3;
  • use Digest Authentication instead of Basic Authentication (htdigest isn't affected);
  • wait until httpd-2.4.5 is released;
  • apply the patch in the bug report (which seems to work) and rebuild htpasswd from source.
Vaunt answered 3/4, 2013 at 20:45 Comment(2)
Thanks - this was driving me nuts for an hour. Simple regressions like this in such a mature application are just inexcusable. :-(Legrand
It took me so long to think about googling this as a possible issue as my thoughts were the same as @AndyLeeRobinson that "Simple regressions like this in such a mature application are just inexcusable"Ark
B
0

If you are using Shibboleth, there is a conflict between mod_shib and basic authentication. You can solve it by using the following Apache directive:

ShibCompatValidUser On

For details, see Shibboleth on Apache 2.4 Using Mixed Authentication Methods

Barber answered 13/1, 2020 at 16:23 Comment(0)
C
0

I have got same situation on Apache/2.4.6 (CentOS)

None of above solved the problem Path to htpasswd is correct from $_SERVER['DOCUMENT_ROOT'];

OK maybe some will find it helpfull, I have solved by: htpasswd -nb username newpassw > <path-to>/htpasswd

btw in Apache 2.4.6 on CentOS 7 problem still exists

Confederate answered 3/2, 2023 at 10:9 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.