Share via

3.3.5.1 Processing Unauthenticated Messages from the SIP Client

  • Article

When a SIP server that is configured to authenticate all SIP protocol clients that talk to it receives a message from the protocol client that does not carry an either an Authorization or Proxy-Authorization header field, or the realm and targetname parameter value pairs in all of the authorization header fields do not match the values that the server created during initialization, the server MUST reject the message. If the message is not an ACK or CANCEL, the server MUST send a 401 Unauthorized or 407 Proxy Authentication Required response, or challenge, back to the protocol client with one or more authentication header fields. If the message is an ACK or CANCEL, the server MUST discard it.

When forming a challenge response, the server SHOULD add an authentication header field for each authentication protocol that it supports, such as NTLM, Kerberos, and TLS-DSK<19> authentication header fields that are covered in this protocol, with the following content:

  • Authentication protocol ("NTLM", "Kerberos", or "TLS-DSK").

  • realm with the value selected by the server during initialization.

  • targetname with the value selected by the server during initialization.

  • version with the value of 3<20> if the server implements version 3 of this protocol or 4<21> if the server implements version 4 of this protocol.

  • For TLS-DSK authentication protocol the server SHOULD add an sts-uri parameter with the value of the URL of the Certificate Provisioning Service described in [MS-OCAUTHWS].

    However, if the request is destined to a conference GRUU, as specified in [MS-SIPRE] and the From: header in the request is an anonymous URI of the form <username>@anonymous.invalid, the server SHOULD<22> form the challenge response as described in section 3.3.5.4 and the rest of this section SHOULD NOT be followed.

    The server SHOULD use a 401 Unauthorized response with a WWW-Authenticate header field if it acts as a UAS when processing the request, and it SHOULD use a 407 Proxy Authentication Required response with a Proxy-Authenticate header field if it acts as a proxy when processing the request.

    The server MUST add a Date header field with the value obtained from the computer or device on which it runs.