HTTP provisioning - authentication error

I’m setting up a remote extension using the redirection service. The phone (Sangoma S305) contacts the redirection service and then tries the HTTP provisioning URL specified in the Sangoma portal. The URL is:

It contacts this URL but is rejected with a HTTP 401 Unauthorized error. In FreePBX > Admin > System Admin > Provisioning Protocols > HTTPS(s) Authentication is set to None. I’ve tried setting it to Both (or HTTP Only) but it reverts back to None when I Save. I presume this is because I have the free SysAdmin module and not Pro?

However, with it set to None, why does the client get prompted for username/password when it tries to authenticate? I tried via a browser and get the username/password prompt. I guess I’m missing some configuration somewhere but can’t see where. Any advice would be appreciated.

You need to have port 84 open

Yep it is, forwarded from public IP to FreePBX private IP. Not sure I’d see the 401 error if it wasn’t would I?

What do you see in tftp logs?

I tried running command “tail -f /var/log/messages | grep in.tftpd” but nothing happens so either there are no logs or I’m looking in the wrong place.

In System Admin > Provisioning Protocols the TFTP Server is Disabled.

Export a PCAP from the phone, see if it actually tries asking for the cfg from the PBX.

Yes it does. There is a HTTP GET request made (for cfgMACADDR.xml) to the PBX which gets a reply from the PBX with 401 Unauthorized from server (from the header) “Apache/2.4.6 (Sangoma) OpenSSL/1.0.2k-fips PHP/5.6.36\r\n”.

Whats the provisioning string you have in the EPM template?

The Provisioning Address option is set to External which populates the textbox with the public IP address of the PBX. The template is setup for external extensions.

try setting it to custom and enter

Changed it but no difference.

It seems from the PCAP on the phone that it contacts for the config which is gets successfully (which is shown by the Poll Count in increasing each time) but then when it tries to contact the PBX via the URL provided it fails with the 401 Unauthorized error.

I seems to get the 401 error from the PBX (Apache server) but I can’t understand why the PBX is looking for authorisation when the option is turn off in the provisioning settings.

Are you using EPM? If so, do you have everything set up in there for this phone? If not, since it’s free for Sangoma phones, I’d start there.

EPM = EndPoint Manager?

Yes I am and have successfully setup a phone on the LAN using an internal template. Now trying to setup a remote extension using a second template for external phones.

This is weird. Perhaps it’s time to get Sangoma Support involved (since all of the part a Sangoma parts). I’m going to guess that there’s a setting somewhere that’s not set up right, but I don’t use Sangoma phones or do remote provisioning, so I can’t really help you much from here.

Mmm, ok thanks for your help.

Is there no further troubleshooting steps to follow to identify the issue. Here are the Apache logs when the phone tries to get the config files: - - [06/Sep/2018:22:02:24 +0100] “GET /cfg0300.xml HTTP/1.1” 401 381 “-” “Sangoma S300 00:50:58:50:3c:7c” - - [06/Sep/2018:22:02:30 +0100] “GET /cfg005058503c7c.xml HTTP/1.1” 401 381 “-” “Sangoma S300 00:50:58:50:3c:7c”

I’ve since upgraded the phone firmware to but still no luck.

That path doesn’t look right. IIRC, there should be a directory name on the front of that filename.

In a web browser try accessing

When I try that the browser prompts for credentials. In this link ( about two-thirds of the way down there is a graphic of the data flows which shows extension username/password being provided to obtain the full configuration. Trying to use the extension number and secret does not successfully authenticate.

When I try accessing the same URL on the LAN I also get prompted for credentials. However the phone on the LAN was provisioned by setting the provisioning URL to http://PBXLANIP:84 and it worked so not sure how that phone authenticates. I’ll try to get a packet trace from that phone when it provisions.

There’s something wrong with this statement. If you have the free version of Sysadmin, then the Provisioning Protocols page shouldn’t be present. Are you sure you have the free version?

Yes I’m sure.

I’ve just looked at the extension on the LAN and it also gets the 401 error when I try auto provisioning. Just to be sure I reset it to factory settings and when it tried to get the config from scratch it failed. When I set it up originally I only changed the Config Server Path on the phones web GUI and it pulled the config from the PBX. Now that fails so I had to config Account 1 to the extension settings.

In summary, the 401 error now prevents any phones retrieving their config whether on the LAN or remotely.