Error 401 when using DAVDroid (1.11.5-ose) with Nextcloud (13.0.5) and 2FA #10404
Description
Steps to reproduce
- Install DAVDroid
- Enable 2FA in Nextcloud
- Generate Application password from within Nextcloud
- Configure DAVDroid with the url https://{{ host }}/remote.php/dav
- Use Application password in DAVDroid
Expected behaviour
DAVDroid synchronizes contacts and calendar successfully
Actual behaviour
DAVDroid hangs for a while with the 'Discovering configuration' message; I can see the following messages in the apache log:
10.38.0.2 - {{ login }} [26/Jul/2018:15:12:37 +0300] "PROPFIND /remote.php/dav HTTP/1.1" 401 299 "-" "DAVdroid/1.11.5-ose (2018/07/01; dav4android; okhttp/3.10.0) Android/7.0"
I used Wireshark to dump the (plain-text) traffic between my nginx proxy and the NC apache web server and see this:
PROPFIND /remote.php/dav HTTP/1.1
Host: {{ host }}
X-Forwarded-For: {{ client_IP }}
X-Forwarded-Proto: https
X-Real-IP: {{ client_IP }}
Connection: close
Content-Length: 290
Depth: 0
Content-Type: application/xml; charset=utf-8
Accept-Encoding: gzip
User-Agent: DAVdroid/1.12-beta3-ose (2018/07/25; dav4android; okhttp/3.11.0) Android/7.0
Accept-Language: ru-RU, ru;q=0.7, *;q=0.5
Authorization: Basic {{ HTTP_basic_auth }}
<?xml version='1.0' encoding='UTF-8' ?><propfind xmlns="DAV:" xmlns:CAL="urn:ietf:params:xml:ns:caldav" xmlns:CARD="urn:ietf:params:xml:ns:carddav"><prop><resourcetype /><displayname /><CARD:addressbook-description /><CARD:addressbook-home-set /><current-user-principal /></prop></propfind>HTTP/1.1 401 Unauthorized
Date: Thu, 26 Jul 2018 11:55:45 GMT
Server: Apache/2.4.25 (Debian)
X-Powered-By: PHP/7.1.20
Set-Cookie: {{ cookie }}; path=/; secure; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: oc_sessionPassphrase={{ cookie2 }}; path=/; secure; HttpOnly
Content-Security-Policy: default-src 'none';
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Robots-Tag: none
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
Set-Cookie: __Host-nc_sameSiteCookielax=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax
Set-Cookie: __Host-nc_sameSiteCookiestrict=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict
Content-Length: 299
Connection: close
Content-Type: application/xml; charset=utf-8
<?xml version="1.0" encoding="utf-8"?>
<d:error xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns" xmlns:o="http://owncloud.org/ns">
<s:exception>OCA\DAV\Connector\Sabre\Exception\PasswordLoginForbidden</s:exception>
<s:message/>
<o:hint xmlns:o="o:">password login forbidden</o:hint>
</d:error>
This should indicate that the login was attempted with a standard password, but I used an application password with DAVDroid.
Server configuration
Operating system: Debian stretch, nextcloud 13.0.5 installed via latest docker image
Web server: Apache/2.4.25 (Debian) on nextcloud container; nginx/1.10.3 on proxy host
Database: 10.3.8-MariaDB
PHP version: 7.1.20
Nextcloud version: 13.0.5
Updated from an older Nextcloud/ownCloud or fresh install:
Where did you install Nextcloud from:
Signing status:
Signing status
No errors have been found.List of activated apps:
App list
Enabled:
- activity: 2.6.1
- calendar: 1.6.1
- checksum: 0.4.0
- circles: 0.14.0
- comments: 1.3.0
- contacts: 2.1.5
- dashboard: 5.0.0
- dav: 1.4.7
- drawio: 0.8.9
- federatedfilesharing: 1.3.1
- federation: 1.3.0
- files: 1.8.0
- files_accesscontrol: 1.3.0
- files_pdfviewer: 1.2.1
- files_sharing: 1.5.0
- files_texteditor: 2.5.1
- files_trashbin: 1.3.0
- files_versions: 1.6.0
- files_videoplayer: 1.2.0
- firstrunwizard: 2.2.1
- gallery: 18.0.0
- gpxpod: 2.2.2
- groupfolders: 1.2.2
- logreader: 2.0.0
- lookup_server_connector: 1.1.0
- metadata: 0.6.0
- nextcloud_announcements: 1.2.0
- notifications: 2.1.2
- oauth2: 1.1.1
- password_policy: 1.3.0
- provisioning_api: 1.3.0
- serverinfo: 1.3.0
- sharebymail: 1.3.0
- spreed: 3.2.5
- survey_client: 1.1.0
- systemtags: 1.3.0
- tasks: 0.9.6
- theming: 1.4.5
- twofactor_backupcodes: 1.2.3
- twofactor_totp: 1.4.1
- twofactor_u2f: 1.5.5
- twofactor_yubikey: 0.3.0
- updatenotification: 1.3.0
- weather: 1.5.1
- workflowengine: 1.3.0
- zenodo: 0.9.4
Disabled: - admin_audit
- encryption
- files_external
- user_external
- user_ldap
Nextcloud configuration:
Config report
{
"system": {
"overwritehost": "cloud.hiball.koshaq.net",
"overwriteprotocol": "https",
"trusted_proxies": "REMOVED SENSITIVE VALUE",
"overwritecondaddr": "^172\.24\.6\.1$",
"htaccess.RewriteBase": "/",
"memcache.local": "\OC\Memcache\APCu",
"apps_paths": [
{
"path": "/var/www/html/apps",
"url": "/apps",
"writable": false
},
{
"path": "/var/www/html/custom_apps",
"url": "/custom_apps",
"writable": true
}
],
"instanceid": "REMOVED SENSITIVE VALUE",
"passwordsalt": "REMOVED SENSITIVE VALUE",
"secret": "REMOVED SENSITIVE VALUE",
"trusted_domains": [
"cloud.hiball.koshaq.net"
],
"datadirectory": "REMOVED SENSITIVE VALUE",
"overwrite.cli.url": "https://cloud.hiball.koshaq.net",
"dbtype": "mysql",
"version": "13.0.5.2",
"dbname": "REMOVED SENSITIVE VALUE",
"dbhost": "REMOVED SENSITIVE VALUE",
"dbport": "",
"dbtableprefix": "oc_",
"dbuser": "REMOVED SENSITIVE VALUE",
"dbpassword": "REMOVED SENSITIVE VALUE",
"installed": true,
"maintenance": false,
"loglevel": 2
}
}
Are you using external storage, if yes which one: no
Are you using encryption: no
Are you using an external user-backend, if yes which one: no
Client configuration
Browser:
DAVdroid/1.11.5-ose (2018/07/01; dav4android; okhttp/3.10.0) Android/7.0"
Operating system:
Android 7.0
Logs
Web server error log
Web server error log
{{ ip }} - {{ login }} [26/Jul/2018:15:14:12 +0300] "PROPFIND /.well-known/caldav HTTP/1.1" 301 178 "-" "DAVdroid/1.11.5-ose (2018/07/01; dav4android; okhttp/3.10.0) Android/7.0"
{{ ip }} - {{ login }} [26/Jul/2018:15:14:12 +0300] "PROPFIND /remote.php/dav HTTP/1.1" 401 299 "-" "DAVdroid/1.11.5-ose (2018/07/01; dav4android; okhttp/3.10.0) Android/7.0"
Nextcloud log (data/nextcloud.log)
Nextcloud log
Insert your Nextcloud log here
Browser log
Browser log
Insert your browser log here, this could for example include:
a) The javascript console log
b) The network log
c) ...