ONVIF: Authentication failure with AXIS P3301 using ONVIF protocol

Question

After first user was created (in my case with user name “root” and password “root”), AXIS P3301 (firmware 5.11.2) returns NotAuthorized soap fault, for any onvif-request:

<SOAP-ENV:Fault 
    SOAP-ENV:encodingStyle="http://www.w3.org/2003/05/soap-encoding"
    xmlns:SOAP-ENV="http://www.w3.org/2003/05/soap-envelope">
    <SOAP-ENV:Code>
        <SOAP-ENV:Value>SOAP-ENV:Sender</SOAP-ENV:Value>
        <SOAP-ENV:Subcode>
            <SOAP-ENV:Value>ter:NotAuthorized</SOAP-ENV:Value>
        </SOAP-ENV:Subcode>
    </SOAP-ENV:Code>
    <SOAP-ENV:Reason>
        <SOAP-ENV:Text xml:lang="en">Sender not authorized</SOAP-ENV:Text>
    </SOAP-ENV:Reason>
    <SOAP-ENV:Detail>
        The action requested requires authorization and the sender is not authorized
    </SOAP-ENV:Detail>
</SOAP-ENV:Fault>

According to ONVIF specification 1.02, I use user name token profile for authentication which is described in specification http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0.pdf.

Below is the Script that I use to form soap request:

xquery version "1.0";
declare copy-namespaces no-preserve, inherit;
<s:Envelope 
    xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" 
    xmlns:s="http://www.w3.org/2003/05/soap-envelope">

    <s:Header>
        <o:Security
            s:mustUnderstand="true"
            xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">

            <o:UsernameToken u:Id="UsernameToken-3ae8d972-d014-47b0-858b-2364f6119763">
                <o:Username>{model/userName/text()}</o:Username>
                <o:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">
                    {model/passwordDigest/text()}
                </o:Password>
                <o:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">
                    {model/nonce/text()}
                </o:Nonce>
                <u:Created>{model/created/text()}</u:Created>
            </o:UsernameToken>

        </o:Security>
    </s:Header>

    <s:Body>
        <tds:GetDeviceInformation xmlns:tds="http://www.onvif.org/ver10/device/wsdl" />
    </s:Body>

</s:Envelope>

Here is my code for sending request:

static byte[] sha1(params byte[][] parts) {
    var data = parts.Concat().ToArray();
    var hasher = SHA1.Create();
    return hasher.ComputeHash(data);
}

static string userName = "root";
static string password = "root";

static void Main(string[] args) {
    Init();
    var uri = @"http://192.168.5.71/onvif/services";
    var nonce = new byte[] {1,2,3,4};
    var created = System.DateTime.Now.ToUniversalTime().ToString("yyyy-MM-ddThh:mm:ss.fffZ");
    try {
        var body = SendSoapRequest(uri, "GetDeviceInformation.xq", new {
            userName = userName,
            passwordDigest = sha1(
                nonce,
                created.ToUtf8(),
                password.ToUtf8()
            ).ToBase64(),
            nonce = nonce.ToBase64(),
            created = created,
        });

        using (var _w = new XmlTextWriter(Console.Out)) {
            _w.Formatting = Formatting.Indented;
            body.WriteTo(_w);
        }
    }catch(SoapFaultException err){
        var fault = err.fault;
        using (var _w = new XmlTextWriter(Console.Out)) {
            _w.Formatting = Formatting.Indented;
            fault.WriteTo(_w);
        }
    }
}

Wireshark log of request:

<s:Envelope 
    xmlns:s="http://www.w3.org/2003/05/soap-envelope" 
    xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
    <s:Header>
        <o:Security 
            xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" 
            s:mustUnderstand="true">
            <o:UsernameToken u:Id="UsernameToken-3ae8d972-d014-47b0-858b-2364f6119763">
                <o:Username>root</o:Username>
                <o:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">MQ52wETdmCuGHmCsYED3FGrQ0UE=</o:Password>
                <o:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">AQIDBA==</o:Nonce>
                <u:Created>2011-03-03T12:23:28.499Z</u:Created>
            </o:UsernameToken>
        </o:Security>
    </s:Header>
    <s:Body>
        <tds:GetDeviceInformation xmlns:tds="http://www.onvif.org/ver10/device/wsdl" />
    </s:Body>
</s:Envelope>

Wirehark log of response:

<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope 
    xmlns:SOAP-ENV="http://www.w3.org/2003/05/soap-envelope" 
    xmlns:SOAP-ENC="http://www.w3.org/2003/05/soap-encoding" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
    xmlns:xsd="http://www.w3.org/2001/XMLSchema" 
    xmlns:c14n="http://www.w3.org/2001/10/xml-exc-c14n#" 
    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" 
    xmlns:ds="http://www.w3.org/2000/09/xmldsig#" 
    xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" 
    xmlns:wsa5="http://www.w3.org/2005/08/addressing" 
    xmlns:xmime5="http://www.w3.org/2005/05/xmlmime" 
    xmlns:wsrf-bf="http://docs.oasis-open.org/wsrf/bf-2" 
    xmlns:wstop="http://docs.oasis-open.org/wsn/t-1" 
    xmlns:tt="http://www.onvif.org/ver10/schema" 
    xmlns:wsrf-r="http://docs.oasis-open.org/wsrf/r-2" 
    xmlns:tan1="http://www.onvif.org/ver10/analytics/wsdl/RuleEngineBinding" 
    xmlns:tan="http://www.onvif.org/ver10/analytics/wsdl" 
    xmlns:tan2="http://www.onvif.org/ver10/analytics/wsdl/AnalyticsEngineBinding" 
    xmlns:tds="http://www.onvif.org/ver10/device/wsdl" 
    xmlns:tev1="http://www.onvif.org/ver10/events/wsdl/NotificationProducerBinding" 
    xmlns:tev2="http://www.onvif.org/ver10/events/wsdl/EventBinding" 
    xmlns:tev3="http://www.onvif.org/ver10/events/wsdl/SubscriptionManagerBinding" 
    xmlns:wsnt="http://docs.oasis-open.org/wsn/b-2" 
    xmlns:tev4="http://www.onvif.org/ver10/events/wsdl/PullPointSubscriptionBinding" 
    xmlns:tev="http://www.onvif.org/ver10/events/wsdl" 
    xmlns:timg="http://www.onvif.org/ver10/imaging/wsdl" 
    xmlns:tptz="http://www.onvif.org/ver10/ptz/wsdl" 
    xmlns:trt="http://www.onvif.org/ver10/media/wsdl" 
    xmlns:ter="http://www.onvif.org/ver10/error" 
    xmlns:tns1="http://www.onvif.org/ver10/topics" 
    xmlns:tnsaxis="http://www.axis.com/2009/event/topics">

    <SOAP-ENV:Header></SOAP-ENV:Header>
    <SOAP-ENV:Body>
        <SOAP-ENV:Fault SOAP-ENV:encodingStyle="http://www.w3.org/2003/05/soap-encoding">
            <SOAP-ENV:Code>
                <SOAP-ENV:Value>SOAP-ENV:Sender</SOAP-ENV:Value>
                <SOAP-ENV:Subcode>
                    <SOAP-ENV:Value>ter:NotAuthorized</SOAP-ENV:Value>
                </SOAP-ENV:Subcode>
            </SOAP-ENV:Code>
            <SOAP-ENV:Reason>
                <SOAP-ENV:Text xml:lang="en">Sender not authorized</SOAP-ENV:Text>
            </SOAP-ENV:Reason>
            <SOAP-ENV:Detail>The action requested requires authorization and the sender is not authorized</SOAP-ENV:Detail>
        </SOAP-ENV:Fault>
    </SOAP-ENV:Body>
</SOAP-ENV:Envelope>

Where I was wrong? (With Bosch VIP X1 XF IVA it works)

Answer 1

I don't see where you specify the "tds" namespace (which should be "http://www.onvif.org/ver10/device/wsdl") in your soap envelope. I had the same problem: a typo in my request, and my camera answered with "http 401 not authorized".