Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error 401 when using DAVDroid (1.11.5-ose) with Nextcloud (13.0.5) and 2FA #10404

Closed
wildy opened this issue Jul 26, 2018 · 9 comments
Closed

Error 401 when using DAVDroid (1.11.5-ose) with Nextcloud (13.0.5) and 2FA #10404

wildy opened this issue Jul 26, 2018 · 9 comments
Assignees
@georgehrke
Labels
1. to develop Accepted and waiting to be taken care of bug feature: dav

Comments

@wildy
Copy link

wildy commented Jul 26, 2018

Steps to reproduce

  1. Install DAVDroid
  2. Enable 2FA in Nextcloud
  3. Generate Application password from within Nextcloud
  4. Configure DAVDroid with the url https://{{ host }}/remote.php/dav
  5. Use Application password in DAVDroid

Expected behaviour

DAVDroid synchronizes contacts and calendar successfully

Actual behaviour

DAVDroid hangs for a while with the 'Discovering configuration' message; I can see the following messages in the apache log:
10.38.0.2 - {{ login }} [26/Jul/2018:15:12:37 +0300] "PROPFIND /remote.php/dav HTTP/1.1" 401 299 "-" "DAVdroid/1.11.5-ose (2018/07/01; dav4android; okhttp/3.10.0) Android/7.0"

I used Wireshark to dump the (plain-text) traffic between my nginx proxy and the NC apache web server and see this:

PROPFIND /remote.php/dav HTTP/1.1
Host: {{ host }}
X-Forwarded-For: {{ client_IP }}
X-Forwarded-Proto: https
X-Real-IP: {{ client_IP }}
Connection: close
Content-Length: 290
Depth: 0
Content-Type: application/xml; charset=utf-8
Accept-Encoding: gzip
User-Agent: DAVdroid/1.12-beta3-ose (2018/07/25; dav4android; okhttp/3.11.0) Android/7.0
Accept-Language: ru-RU, ru;q=0.7, *;q=0.5
Authorization: Basic {{ HTTP_basic_auth }}

<?xml version='1.0' encoding='UTF-8' ?><propfind xmlns="DAV:" xmlns:CAL="urn:ietf:params:xml:ns:caldav" xmlns:CARD="urn:ietf:params:xml:ns:carddav"><prop><resourcetype /><displayname /><CARD:addressbook-description /><CARD:addressbook-home-set /><current-user-principal /></prop></propfind>HTTP/1.1 401 Unauthorized
Date: Thu, 26 Jul 2018 11:55:45 GMT
Server: Apache/2.4.25 (Debian)
X-Powered-By: PHP/7.1.20
Set-Cookie: {{ cookie }}; path=/; secure; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: oc_sessionPassphrase={{ cookie2 }}; path=/; secure; HttpOnly
Content-Security-Policy: default-src 'none';
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Robots-Tag: none
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
Set-Cookie: __Host-nc_sameSiteCookielax=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax
Set-Cookie: __Host-nc_sameSiteCookiestrict=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict
Content-Length: 299
Connection: close
Content-Type: application/xml; charset=utf-8

<?xml version="1.0" encoding="utf-8"?>
<d:error xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns" xmlns:o="http://owncloud.org/ns">
  <s:exception>OCA\DAV\Connector\Sabre\Exception\PasswordLoginForbidden</s:exception>
  <s:message/>
  <o:hint xmlns:o="o:">password login forbidden</o:hint>
</d:error>

This should indicate that the login was attempted with a standard password, but I used an application password with DAVDroid.

Server configuration

Operating system: Debian stretch, nextcloud 13.0.5 installed via latest docker image

Web server: Apache/2.4.25 (Debian) on nextcloud container; nginx/1.10.3 on proxy host

Database: 10.3.8-MariaDB

PHP version: 7.1.20

Nextcloud version: 13.0.5

Updated from an older Nextcloud/ownCloud or fresh install:

Where did you install Nextcloud from:

Signing status:

Signing status No errors have been found.

List of activated apps:

App list

Enabled:

  • activity: 2.6.1
  • calendar: 1.6.1
  • checksum: 0.4.0
  • circles: 0.14.0
  • comments: 1.3.0
  • contacts: 2.1.5
  • dashboard: 5.0.0
  • dav: 1.4.7
  • drawio: 0.8.9
  • federatedfilesharing: 1.3.1
  • federation: 1.3.0
  • files: 1.8.0
  • files_accesscontrol: 1.3.0
  • files_pdfviewer: 1.2.1
  • files_sharing: 1.5.0
  • files_texteditor: 2.5.1
  • files_trashbin: 1.3.0
  • files_versions: 1.6.0
  • files_videoplayer: 1.2.0
  • firstrunwizard: 2.2.1
  • gallery: 18.0.0
  • gpxpod: 2.2.2
  • groupfolders: 1.2.2
  • logreader: 2.0.0
  • lookup_server_connector: 1.1.0
  • metadata: 0.6.0
  • nextcloud_announcements: 1.2.0
  • notifications: 2.1.2
  • oauth2: 1.1.1
  • password_policy: 1.3.0
  • provisioning_api: 1.3.0
  • serverinfo: 1.3.0
  • sharebymail: 1.3.0
  • spreed: 3.2.5
  • survey_client: 1.1.0
  • systemtags: 1.3.0
  • tasks: 0.9.6
  • theming: 1.4.5
  • twofactor_backupcodes: 1.2.3
  • twofactor_totp: 1.4.1
  • twofactor_u2f: 1.5.5
  • twofactor_yubikey: 0.3.0
  • updatenotification: 1.3.0
  • weather: 1.5.1
  • workflowengine: 1.3.0
  • zenodo: 0.9.4
    Disabled:
  • admin_audit
  • encryption
  • files_external
  • user_external
  • user_ldap

Nextcloud configuration:

Config report

{
"system": {
"overwritehost": "cloud.hiball.koshaq.net",
"overwriteprotocol": "https",
"trusted_proxies": "REMOVED SENSITIVE VALUE",
"overwritecondaddr": "^172\.24\.6\.1$",
"htaccess.RewriteBase": "/",
"memcache.local": "\OC\Memcache\APCu",
"apps_paths": [
{
"path": "/var/www/html/apps",
"url": "/apps",
"writable": false
},
{
"path": "/var/www/html/custom_apps",
"url": "/custom_apps",
"writable": true
}
],
"instanceid": "REMOVED SENSITIVE VALUE",
"passwordsalt": "REMOVED SENSITIVE VALUE",
"secret": "REMOVED SENSITIVE VALUE",
"trusted_domains": [
"cloud.hiball.koshaq.net"
],
"datadirectory": "REMOVED SENSITIVE VALUE",
"overwrite.cli.url": "https://cloud.hiball.koshaq.net",
"dbtype": "mysql",
"version": "13.0.5.2",
"dbname": "REMOVED SENSITIVE VALUE",
"dbhost": "REMOVED SENSITIVE VALUE",
"dbport": "",
"dbtableprefix": "oc_",
"dbuser": "REMOVED SENSITIVE VALUE",
"dbpassword": "REMOVED SENSITIVE VALUE",
"installed": true,
"maintenance": false,
"loglevel": 2
}
}

Are you using external storage, if yes which one: no

Are you using encryption: no

Are you using an external user-backend, if yes which one: no

Client configuration

Browser:
DAVdroid/1.11.5-ose (2018/07/01; dav4android; okhttp/3.10.0) Android/7.0"

Operating system:
Android 7.0

Logs

Web server error log

Web server error log

{{ ip }} - {{ login }} [26/Jul/2018:15:14:12 +0300] "PROPFIND /.well-known/caldav HTTP/1.1" 301 178 "-" "DAVdroid/1.11.5-ose (2018/07/01; dav4android; okhttp/3.10.0) Android/7.0"
{{ ip }} - {{ login }} [26/Jul/2018:15:14:12 +0300] "PROPFIND /remote.php/dav HTTP/1.1" 401 299 "-" "DAVdroid/1.11.5-ose (2018/07/01; dav4android; okhttp/3.10.0) Android/7.0"

Nextcloud log (data/nextcloud.log)

Nextcloud log 
Insert your Nextcloud log here

Browser log

Browser log 
Insert your browser log here, this could for example include:

a) The javascript console log
b) The network log
c) ...
@nextcloud-bot
Copy link
Member

GitMate.io thinks possibly related issues are #10350 (13.0.5), #8754 (White page / Error 500 after Upgrade from Nextcloud 12.0.4 to 13 ), #3119 (Default calendar not showing after Upgrade to Nextcloud 11.0.1), #9204 (Nextcloud upgrade to version 13.0.1), and #9858 (Error while upgrading auf NextCloud 13.0.4).

@MorrisJobke
Copy link
Member

cc @rullzer @georgehrke

@wildy
Copy link
Author

wildy commented Aug 7, 2018

Any news on this bug?

@wildy
Copy link
Author

wildy commented Sep 11, 2018

Still observing this on latest Nextcloud 14. Makes CalDAV sync unusable if 2FA is enabled.

@georgehrke georgehrke self-assigned this Sep 11, 2018
@georgehrke georgehrke added the 1. to develop Accepted and waiting to be taken care of label Sep 11, 2018
@georgehrke georgehrke added this to the Nextcloud 14.0.1 milestone Sep 11, 2018
@MorrisJobke
Copy link
Member

Use Application password in DAVDroid

This should work and we just tested and could not reproduce this. With app passwords it does just work fine. With multiple accounts, servers and android devices with DAVdroid.

As this seems to be a setup issue I would like to ask you to raise your question in the forums: https://help.nextcloud.com

If you wish support with setup issues from Nextcloud GmbH we offer this as part of the Nextcloud subscription. Learn more about this at https://nextcloud.com/enterprise/

@MorrisJobke MorrisJobke removed this from the Nextcloud 14.0.2 milestone Oct 3, 2018
@bovender
Copy link

Unfortunately, I have the very same issue as @wildy

@rmsc
Copy link

rmsc commented Sep 12, 2019

I was also suffering from this issue with device-specific passwords, and using my standard password it strangely worked.

It turns out that the device-specific password also includes the '-' dashes between the characters, which is really non-intuitive. By also entering the dashes it works.

I think this really goes against how everything else I know works, where the dashes are just to help typing and are not actually part of the password. If this is a "feature" I think it should at the very least be clearly stated on the documentation.

@georgehrke
Copy link
Member

@rmsc Please open a feature request in this very same repo and don't hijack closed issues. Thx!

@rmsc
Copy link

rmsc commented Sep 13, 2019

@georgehrke thanks, I will open a feature request.

Btw I didn't consider this hijacking, as the subject/problem is exactly the same as reported, and no solution was ever provided.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@georgehrke georgehrke

Labels
1. to develop Accepted and waiting to be taken care of bug feature: dav
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@MorrisJobke @wildy @georgehrke @rmsc @bovender @nextcloud-bot