SIP im Detail - Alter Client wird abgewiesen

Hinweis. Ich habe die Domain msxfaq.de durch msxfaq.local ersetzt, um die verwendeten Mailadressen zu verbergen. Im Netmon Capture sind die Daten der TestUmgebung enthalten.

Der veraltete OCS-Client versucht eine Verbindung ohne besondere Authentifizierung.

REGISTER sip:msxfaq.local SIP/2.0
Via: SIP/2.0/TCP 192.168.55.101:1065
Max-Forwards: 70
From: <sip:frank.carius@msxfaq.local>;tag=34431e2043;epid=fe4674ab36
To: <sip:frank.carius@msxfaq.local>
Call-ID: c1e20c54ee41a56b2bd9eb86b5962c9e
CSeq: 1 REGISTER
Contact: <sip:192.168.55.101:1065;transport=tcp;ms-opaque=97572d5a34>;methods="INVITE, MESSAGE, INFO, OPTIONS, BYE, CANCEL, NOTIFY, ACK, REFER, BENOTIFY";proxy=replace;+sip.instance="<urn:uuid:BC4CA1BF-7B79-57E1-8A55-5FEDEDAFC3C6>" user-Agent: CPE/2.0.467.0 COMO/2.0.467.0 (Communicator Mobile 2.0)
Supported: gruu-10, adhoclist, msrtc-event-categories
Supported: ms-forking
ms-keep-alive: uAC;hop-hop=yes
Event: registration
Content-Length: 0

Das lehnt der Server natürlich ab, aber sagt dem Client, welche Anmeldeverfahren er unterstützt

SIP/2.0 401 unauthorized
Date: Thu, 11 Dec 2008 15:47:35 GMT
WWW-Authenticate: NTLM realm="SIP Communications Service", targetname="srv01.msxfaq.local", version=3
WWW-Authenticate: Kerberos realm="SIP Communications Service", targetname="sip/srv01.msxfaq.local", version=3
From: <sip:frank.carius@msxfaq.local>;tag=34431e2043;epid=fe4674ab36
To: <sip:frank.carius@msxfaq.local>;tag=ABB5DEAD587948995CD3ED135AD5F587
Call-ID: c1e20c54ee41a56b2bd9eb86b5962c9e
CSeq: 1 REGISTER
Via: SIP/2.0/TCP 192.168.55.101:1065;received=10.1.1.254;ms-received-port=58775;ms-received-cid=2700
Content-Length: 0

Beim zweiten Versuch sendet der user eine Anmeldung aber hatte vorab ja noch keine Daten zur Verschlüsselung erhalten

REGISTER sip:msxfaq.local SIP/2.0
Via: SIP/2.0/TCP 192.168.55.101:1065
Max-Forwards: 70
From: <sip:frank.carius@msxfaq.local>;tag=34431e2043;epid=fe4674ab36
To: <sip:frank.carius@msxfaq.local>
Call-ID: c1e20c54ee41a56b2bd9eb86b5962c9e
CSeq: 2 REGISTER
Contact: <sip:192.168.55.101:1065;transport=tcp;ms-opaque=97572d5a34>;methods="INVITE, MESSAGE, INFO, OPTIONS, BYE, CANCEL, NOTIFY, ACK, REFER, BENOTIFY";proxy=replace;+sip.instance="<urn:uuid:BC4CA1BF-7B79-57E1-8A55-5FEDEDAFC3C6>" user-Agent: CPE/2.0.467.0 COMO/2.0.467.0 (Communicator Mobile 2.0)
Authorization: NTLM qop="auth", realm="SIP Communications Service", targetname="srv01.msxfaq.local", gssapi-data="", version=3
Supported: gruu-10, adhoclist, msrtc-event-categories
Supported: ms-forking
ms-keep-alive: uAC;hop-hop=yes
Event: registration
Content-Length: 0

Also lehnt der Server nochmal ab, aber sendet dem Client die erforderlichen Daten ("gssapi-data")

SIP/2.0 401 unauthorized
Date: Thu, 11 Dec 2008 15:47:35 GMT
WWW-Authenticate: NTLM opaque="8C935D90", gssapi-data="TlRMTVNTUAACAAAAAAAAADgAAADzgpjiiBZxaTtqHgIAAAAAAAAAAIIAggA4AAAABQLODgAAAA8CAAwATQBTAFgARgBBAFEAAQAKAFMAUgBWADAAMQAEABgAbQBzAHgAZgBhAHEALgBsAG8AYwBhAGwAAwAkAHMAcgB2ADAAMQAuAG0AcwB4AGYAYQBxAC4AbABvAGMAYQBsAAUAGABtAHMAeABmAGEAcQAuAGwAbwBjAGEAbAAAAAAA", targetname="srv01.msxfaq.local", realm="SIP Communications Service", version=3
From: <sip:frank.carius@msxfaq.local>;tag=34431e2043;epid=fe4674ab36
To: <sip:frank.carius@msxfaq.local>;tag=ABB5DEAD587948995CD3ED135AD5F587
Call-ID: c1e20c54ee41a56b2bd9eb86b5962c9e
CSeq: 2 REGISTER
Via: SIP/2.0/TCP 192.168.55.101:1065;received=10.1.1.254;ms-received-port=58775;ms-received-cid=2700
Content-Length: 0

Jetzt erst kann sich der Client komplett anmelden

REGISTER sip:msxfaq.local SIP/2.0
Via: SIP/2.0/TCP 192.168.55.101:1065
Max-Forwards: 70
From: <sip:frank.carius@msxfaq.local>;tag=34431e2043;epid=fe4674ab36
To: <sip:frank.carius@msxfaq.local>
Call-ID: c1e20c54ee41a56b2bd9eb86b5962c9e
CSeq: 3 REGISTER
Contact: <sip:192.168.55.101:1065;transport=tcp;ms-opaque=97572d5a34>;methods="INVITE, MESSAGE, INFO, OPTIONS, BYE, CANCEL, NOTIFY, ACK, REFER, BENOTIFY";proxy=replace;+sip.instance="<urn:uuid:BC4CA1BF-7B79-57E1-8A55-5FEDEDAFC3C6>" user-Agent: CPE/2.0.467.0 COMO/2.0.467.0 (Communicator Mobile 2.0)
Supported: gruu-10, adhoclist, msrtc-event-categories
Supported: ms-forking
ms-keep-alive: uAC;hop-hop=yes
Event: registration
Proxy-Authorization: NTLM qop="auth", realm="SIP Communications Service", opaque="8C935D90", targetname="srv01.msxfaq.local", version=3, gssapi-data="TlRMTVNTUAADAAAAGAAYAE0AAAAAAAAAZQAAAAYABgBAAAAABwAHAEYAAAAAAAAATQAAABAAEABlAAAAUoKIYG1zeGZhcWZjYXJpdXMxCFrBhnA50kqOr3vD/+axsAWCitP+c9O28yabPfSDMg5s89262+3n"
Content-Length: 0

Aber der Server hat natürlich aufgepasst und am user-Agent erkannt, dass der Client nicht den Firmenvorgaben entspricht und verweigert den Zugriff:

SIP/2.0 403 Forbidden
Authentication-Info: NTLM rspauth="0100000068CF2032B6333B3664000000", srand="017259E2", snum="1", opaque="8C935D90", qop="auth", targetname="srv01.msxfaq.local", realm="SIP Communications Service"
Content-Length: 0
Via: SIP/2.0/TCP 192.168.55.101:1065;received=10.1.1.254;ms-received-port=58775;ms-received-cid=2700
From: <sip:frank.carius@msxfaq.local>;tag=34431e2043;epid=fe4674ab36
To: <sip:frank.carius@msxfaq.local>;tag=ABB5DEAD587948995CD3ED135AD5F587
Call-ID: c1e20c54ee41a56b2bd9eb86b5962c9e
CSeq: 3 REGISTER
Warning: 310 lcs.microsoft.com "You are currently not using the recommended version of the client"
ms-diagnostics: 17002;reason="Invalid Request";source="srv01.msxfaq.local";appName="ClientVersionFilter"
Server: ClientVersionFilter/3.0.0.0

Der Anwender sieht auf seinem PC nun einfach die Fehlermeldung, dass sein Client zu alt ist und er sich bitte an seinen Administrator wenden soll.

Weitere Links