Outbound authentication errors using pjsip


#1

I’m using Asterisk 16.1 but I don’t think this problem is really related to the version.
I’m also using odbc for the pjsip configuration.
I get a series of error messages at startup:
[Jan 29 10:00:53] WARNING[3639]: res_pjsip_outbound_authenticator_digest.c:178 digest_create_request_with_auth: Host: ‘192.168.1.31:5060’: Unable to create request with auth. No auth credentials for realm(s) ‘asterisk’ in challenge.
[Jan 29 10:00:53] WARNING[3639]: res_pjsip_outbound_authenticator_digest.c:178 digest_create_request_with_auth: Host: ‘192.168.1.31:5060’: Unable to create request with auth. No auth credentials for realm(s) ‘192.168.1.31’ in challenge.
[Jan 29 10:00:53] WARNING[3639]: res_pjsip_outbound_authenticator_digest.c:178 digest_create_request_with_auth: Host: ‘192.168.1.31:5060’: Unable to create request with auth. No auth credentials for realm(s) ‘asterisk’ in challenge.
[Jan 29 10:00:53] WARNING[3638]: res_pjsip_outbound_authenticator_digest.c:178 digest_create_request_with_auth: Host: ‘192.168.1.31:5060’: Unable to create request with auth. No auth credentials for realm(s) ‘asterisk’ in challenge.
[Jan 29 10:00:53] WARNING[3638]: res_pjsip_outbound_authenticator_digest.c:178 digest_create_request_with_auth: Host: ‘192.168.1.31:5060’: Unable to create request with auth. No auth credentials for realm(s) ‘localhost’ in challenge.
[Jan 29 10:00:53] WARNING[3639]: res_pjsip_outbound_authenticator_digest.c:178 digest_create_request_with_auth: Host: ‘192.168.1.31:5060’: Unable to create request with auth. No auth credentials for realm(s) ‘192.168.1.31’ in challenge.
[Jan 29 10:00:53] WARNING[3638]: res_pjsip_outbound_authenticator_digest.c:178 digest_create_request_with_auth: Host: ‘192.168.1.31:5060’: Unable to create request with auth. No auth credentials for realm(s) ‘asterisk’ in challenge.

The realms concerned seem to be those in the ps_auth table of the odbc configuration.
I’ve tried different valus asterisk, localhost,192.168.1.31 to see if it makes any difference.
I suppose first of all I don’t understand what asterisk is trying to do here.
Nor do I understand the notion of realms which seem to equate to domains but do they?

The ps_domain_aliases table is empty. Should it be?

If someone can point me to some documentation which would help me to understand what’s going on, I’d appreciate it.

Pete


#2

What exactly is the current configuration?


#3

What would you like to see, bearing in mind that the config is on MySQL so either I dump the tables: ps_auth, ps_endpoints? or screenshots?


#4

Both the auth and endpoint, so the record from ps_auth and ps_endpoints respectively.


#5

Oh, and you can just leave the realm empty and Asterisk will use the realm as received by the remote side.


#6

I’ve changed the realm field in ps_endpoints to NULL. Now all the error messages indicate 'No auth credentials for realm “asterisk” in challenge


#7

I have a problem with phpmyadmin which is stopping me from exporting the tables


#8

Instead of NULL can you just make it an empty string?


#9

Same error messages are produced referring to realm “asterisk” with empty string as opposed to NULL


#10

I’d still like to understand what asterisk is trying to do here


#11

It’s how SIP fundamentally works. The remote side challenges for authentication with a realm, and Asterisk then resends the request with credentials. We search for the correct authentication to use based on the realm, and if no realm is specified in our configuration then we use that one.

Have you verified what Asterisk sees for configuration in the CLI commands? Is an auth actually configured for what is being challenged for? Do you know what the SIP request is?


#12

Without changing the source code, I can’t see’how I can find out what SIP requests are causing the errors. I’ve tried core set debug 64 pjsip and pjsip set logger on but they don’t give anything more informative.


#13

BTW the version of pjproject I’m using is 2.8


#14

You can configure in pjsip.conf in the global section the “debug” option which will enable “pjsip set logger on” from the very start, causing SIP requests and responses to be output to the Asterisk console.


#15

Now I have set debug to yes and the default realm to XXXXX as opposed to “asterisk” and XXXXX is in the error messages. So now the question is where we are supposed to define realms?
I’ve tried creating entries in the ps_domain_aliases table pointing to the server but that doesn’t seem to change anything


#16

The realm is defined in the auth section, but I can’t give specifics because I have no data or configuration to go on to know what is truly happening.


#17

Run the following CLI commands:

CLI> pjsip show settings
CLI> pjsip show endpoint <endpoint>
CLI> pjsip show aor <'aors' listed in endpoint>
CLI> pjsip show auth <'auth' listed in endpoint>

#18

The realms in ps_auth are all linked to endpoints aren’t they?


#19

no. they’re strictly for authentication purposes.


#20

Global Settings:

ParameterName : ParameterValue

contact_expiration_check_interval : 30
debug : yes
default_from_user : KFONE1
default_outbound_endpoint : default_outbound_endpoint
default_realm : KFONE2
default_voicemail_extension :
disable_multi_domain : false
endpoint_identifier_order : ip,username,anonymous
ignore_uri_user_options : false
keep_alive_interval : 20
max_forwards : 70
max_initial_qualify_time : 0
mwi_disable_initial_unsolicited : false
mwi_tps_queue_high : 500
mwi_tps_queue_low : -1
regcontext :
unidentified_request_count : 5
unidentified_request_period : 5
unidentified_request_prune_interval : 30
use_callerid_contact : no
user_agent : Asterisk PBX 16.1.1

System Settings:

ParameterName : ParameterValue

accept_multiple_sdp_answers : false
compact_headers : false
disable_tcp_switch : true
follow_early_media_fork : true
threadpool_auto_increment : 5
threadpool_idle_timeout : 60
threadpool_initial_size : 0
threadpool_max_size : 50
timer_b : 32000
timer_t1 : 500

Endpoint: 1001/1001 Not in use 0 of 1
OutAuth: PeteKirkham/PeteKirkham
InAuth: PeteKirkham/PeteKirkham
Aor: PeteKirkham 10
Contact: PeteKirkham/sip:1001@192.168.1.31:5060 c41c49f388 NonQual nan
Transport: transport-udp udp 0 0 0.0.0.0:5060

Endpoint: 1004/1004 Not in use 0 of 1
OutAuth: PortablePete/PortablePete
InAuth: PortablePete/PortablePete
Aor: PortablePete 10
Contact: PortablePete/sip:PortablePete@192.168.1.16 41336d7601 NonQual nan
Contact: PortablePete/sip:1004@192.168.1.31:5060 03dc3202c1 NonQual nan
Transport: transport-udp udp 0 0 0.0.0.0:5060

Endpoint: Brigitte/1003 Not in use 0 of 1
InAuth: Brigitte/Brigitte
Aor: Brigitte 10
Contact: Brigitte/sip:1003@192.168.1.31:5060 eff72bb66b NonQual nan
Transport: transport-udp udp 0 0 0.0.0.0:5060

Endpoint: Fiona/1002 Not in use 0 of 1
InAuth: Fiona/Fiona
Aor: Fiona 10
Contact: Fiona/sip:1002@192.168.1.31:5060 f376ad048f NonQual nan
Transport: transport-udp udp 0 0 0.0.0.0:5060

Endpoint: PeteKirkham/1001 Not in use 0 of 1
InAuth: PeteKirkham/PeteKirkham
Aor: PeteKirkham 10
Contact: PeteKirkham/sip:1001@192.168.1.31:5060 c41c49f388 NonQual nan
Transport: transport-udp udp 0 0 0.0.0.0:5060

Endpoint: PortablePete/1004 Not in use 0 of 1
InAuth: PortablePete/PortablePete
Aor: PortablePete 10
Contact: PortablePete/sip:PortablePete@192.168.1.16 41336d7601 NonQual nan
Contact: PortablePete/sip:1004@192.168.1.31:5060 03dc3202c1 NonQual nan
Transport: transport-udp udp 0 0 0.0.0.0:5060

Endpoint: net2phone Not in use 0 of 1
OutAuth: net2phone/610569414904
InAuth: net2phone/610569414904
Aor: net2phone 2
Contact: net2phone/sip:ippbx.net2phone.com 0a5bd7e8d2 NonQual nan
Transport: transport-udp udp 0 0 0.0.0.0:5060
Identify: net2phone/net2phone
Match: 66.33.146.52/32
Match: 169.132.196.11/32

Endpoint: ovh Not in use 0 of 1
OutAuth: ovh/0033972306227
InAuth: ovh/0033972306227
Aor: ovh 2
Contact: ovh/sip:0033972306227@sip.ovh.fr 5c91c115fa NonQual nan
Transport: transport-udp udp 0 0 0.0.0.0:5060
Identify: ovh/ovh
Match: 91.121.129.20/32

Endpoint: webrtc_client Unavailable 0 of inf
InAuth: webrtc_client/KFONE
Aor: webrtc_client 1
Transport: transport-udp udp 0 0 0.0.0.0:5060

Endpoint: 1001/1001 Not in use 0 of 1
OutAuth: PeteKirkham/PeteKirkham
InAuth: PeteKirkham/PeteKirkham
Aor: PeteKirkham 10
Contact: PeteKirkham/sip:1001@192.168.1.31:5060 c41c49f388 NonQual nan
Transport: transport-udp udp 0 0 0.0.0.0:5060

ParameterName : ParameterValue

100rel : yes
accept_multiple_sdp_answers : false
accountcode :
acl :
aggregate_mwi : true
allow : (g729|alaw|ulaw|gsm|h263)
allow_overlap : true
allow_subscribe : true
allow_transfer : true
aors : PeteKirkham
asymmetric_rtp_codec : false
auth : PeteKirkham
bind_rtp_to_media_address : false
bundle : false
call_group :
callerid : “Pete” <1001>
callerid_privacy : allowed
callerid_tag :
connected_line_method : invite
contact_acl :
context : outgoing
cos_audio : 0
cos_video : 0
device_state_busy_at : 1
direct_media : false
direct_media_glare_mitigation : none
direct_media_method : invite
disable_direct_media_on_nat : false
dtls_auto_generate_cert : No
dtls_ca_file :
dtls_ca_path :
dtls_cert_file :
dtls_cipher :
dtls_fingerprint : SHA-256
dtls_private_key :
dtls_rekey : 0
dtls_setup : active
dtls_verify : No
dtmf_mode : rfc4733
fax_detect : false
fax_detect_timeout : 0
follow_early_media_fork : true
force_avp : false
force_rport : true
from_domain :
from_user :
g726_non_standard : false
ice_support : false
identify_by : username
inband_progress : false
incoming_mwi_mailbox :
language : fr
mailboxes : 1001@default
max_audio_streams : 1
max_video_streams : 1
media_address :
media_encryption : no
media_encryption_optimistic : false
media_use_received_transport : false
message_context :
moh_passthrough : false
moh_suggest : default
mwi_from_user :
mwi_subscribe_replaces_unsolicited : no
named_call_group :
named_pickup_group :
notify_early_inuse_ringing : false
one_touch_recording : false
outbound_auth : PeteKirkham
outbound_proxy :
pickup_group :
preferred_codec_only : false
record_off_feature : automixmon
record_on_feature : automixmon
refer_blind_progress : true
rewrite_contact : false
rpid_immediate : false
rtcp_mux : false
rtp_engine : asterisk
rtp_ipv6 : false
rtp_keepalive : 0
rtp_symmetric : false
rtp_timeout : 0
rtp_timeout_hold : 0
sdp_owner : -
sdp_session : Asterisk
send_connected_line : yes
send_diversion : true
send_pai : false
send_rpid : false
set_var :
srtp_tag_32 : false
sub_min_expiry : 0
subscribe_context :
suppress_q850_reason_headers : false
t38_udptl : false
t38_udptl_ec : none
t38_udptl_ipv6 : false
t38_udptl_maxdatagram : 0
t38_udptl_nat : false
timers : yes
timers_min_se : 90
timers_sess_expires : 1800
tone_zone :
tos_audio : 0
tos_video : 0
transport : transport-udp
trust_connected_line : yes
trust_id_inbound : false
trust_id_outbound : true
use_avpf : false
use_ptime : false
user_eq_phone : false
voicemail_extension :
webrtc : no

Auth: PeteKirkham/PeteKirkham

ParameterName : ParameterValue

auth_type : userpass
md5_cred :
nonce_lifetime : 32
password : xxxxxxxxxxx
realm :
username : PeteKirkham

Aor: PeteKirkham 10
Contact: PeteKirkham/sip:1001@192.168.1.31:5060 c41c49f388 NonQual nan

ParameterName : ParameterValue

authenticate_qualify : false
contact : sip:1001@192.168.1.31:5060
default_expiration : 3600
mailboxes : 1001
max_contacts : 10
maximum_expiration : 7200
minimum_expiration : 60
outbound_proxy :
qualify_frequency : 0
qualify_timeout : 3.000000
remove_existing : false
support_path : false
voicemail_extension :