ONVIF Gurus: Is There a Valid Reason For GetSystemDate To Require Authentication?

I've been working on connecting to a few ONVIF cameras using netcat (don't ask why).

Not too many problems actually, but this one camera an Everfocus EAN-3220 model, is giving a SOAP Sender not authorized message right on the first GetSystemDateAndTime call. And therefore not returning a time for me to hash my nonces with. Even after resetting to defaults.

If I just ignore it and md5 with my local time and do GetCapabilities then it's ok, but I'm trying to understand what the point of the first rejection is. It's not a http 401 either.

Is there a valid use case for such behavior?

Login to read this IPVM discussion.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

...***** **'* **** ** **** *** ******* *** ****** ************* who ******** ** *** **** **** ****** ************ **** ********** via '*****' *****? ; )

* ***** *** **** ** ****** ** *********?!? *** ****'* ridiculous!

****, ** **** **** *** ******** **** **** ***** **** to *** *** ************* ******* ** ******* ******************* **** ******************* bit ******* ** ****.

***** **** ****'*, *** ** *****'* ******** ** ******.

**** *** *** **** **** ****'** ******* ** ******* ** internet ****** ****** ******* * ****** ** ******* ****** **** attempts ** ******* *** ******************** ****?

**, *** *** ***** **** ** ******* **** ***** *** it ***** ****.

*** ******** ****** **** ******* **** ** *** ****** ***** it **** ******* *** ****** ****. ** ******** **** ** fails, ** **** ** ********* * **** ****** ****** ***** it ******** *** ***** ***** ******** ***** *******. ** *** would ***** ** **** **** ** * ****** ** ****.

*** ***** ****'* ****** ** ***** ** ** **** * wouldn't **** * **** ***** ******* *** ****/**** ****** **** you **** ** ** *** ********** **** * ********* ****** together **** *** ******** ********, *** ** *** ********* ** the ********** ** *** ** **** **** * *******, *** camera **** ****** **.

*** ***** **'* ******** **'* **** **** ** ******* ** something. ****** *** *********!

* ***** * ******** ******* ********* **** ******* ******************** ****** are ******* ********* *** *** ******* *** ***** **** ******** functionality. ******* *** ********* ********** **** ******* **** **** ****** be * ************ *** **************. ********* ****** ******** ** ** Everfocus *** ********** ** *** ****** *** ****** **** ********** insight.

*'* *** ****. * *** ********* ** ********** ** ***** Device ******* *** *** ********* **** ** *********. ******* ** the ***** * *** **** ** ****** *** ******* ******* several ***** *** *** *** **** ***** * ***, ***** was **********.

*** ** **** ***** ** ** ******* ******* **** *************** and **** ****'* **** ****, *** **** ** **** **** from *****. ** * *** *** ****, *** *** ****** happy ***** ****** *** *** ** **** ****.

********* *** **** ***** ******** ******** **** ***** ****** *********. They ****** **** **** ******************* *** ****************** ***** *** ** true, ***** ***** **** ****** ****** ** *** ** *****. This ***** **** *** **** ** **** ****** *** ***** snapshot *** *******, **** ****** ** ******* *** **** ***. If *** ***'* *** *** * ***.

******************** ****** *** ******* ************** ** ***. *** ****://***.*********.***/*****/*****/********-***-**********************'*******.***

******.

******* **'* *** ***** *** ******, **** ***'* **** *** lock **** **** ******, ** * ** ******** ***** ***** was **** ******.

***, ** **** ******* ****-****** *** ************** (** *********** *** that ** *** **** *********)? ********** ******* ******** ** (****** ******* ******). ** **** **** ***** ***** module ** **** *** ** *** ******* (**: ****://***.***.*.***:**/***-***/*************.*** ** http://192.168.0.126:80/cgi-bin/eventOvf.cgi) - ** ***** **** ******* ** **** ********.

**, ***** **** ****** *** *** **** ****** **************. ***** than **** *** ***** **** ** **** *** *** **** digest ******* ***** ****** *** ********* ** *** ** *** httpd ***, ** ********* *** **** ** ** ****. *** you ****** **** ** ** *** **** ******, ** *** method ******** ****.

>>*** *** ****** **** ** ** *** **** ******

** ** ********* **** ****, ** **** ***********-***** **** ** thumb?

** ************* ** * *** ********* (****** ***** ** ****://***.*****.***/*****/****/*****-****-*************-****.***):

- **** *.**.* ***** ** * ***** *********: "* ******should *** ************** ****** authentication credentials on both the HTTP level and the WS level. If a server receives a web service request that contains authentication credentials on both the HTTP level and the WS level, it shall first validate the credentials provided on the HTTP layer. If this validation was successful, the server shall finally validate the authentication credentials provided on the WS layer." So, is client supply both - server will validate both (btw, they may be different), but in typical case client should not do so.

- **** *.**.*.* ** *** **** ********** ** ****** *******. comparing **** *.**.*.*, ***** ******* ****** ****** *******, *** *.*.* (description ** ********************) *******, ** *** ****** **** ****** ****** not *** *** ***********if ** ** ***** ******* ****** ******.

*** ** *** ******** ****:

- ******** ******* ****** ******, *** *** ********* ** *** SetAccessPolicy ******* (*** *.*.*). *** *** *** ***** ** *** web *********.

- **** ******** ** ****** **** (***, *** ** ***** from ***** *********** *********, ** ** **** *** ******** ****** levels).

- **** ******** ** ****** ****: * **** ************ ** clients *** ******* ***** ****** **** ********* ********* *********** (**** **** ***** *******) *** ******* ***** **** *** ** "no ***********" *** "***** ***********" (**** *** ******** **** ** not **** **************).

"* ****** ****** *** ************** ****** ************** *********** ** **** the **** ***** *** *** ** *****. ** * ****** receives * *** ******* ******* **** ******** ************** *********** ** both *** **** ***** *** *** ** *****, ** ***** first ******** *** *********** ******** ** *** **** *****. ** this ********** *** **********, *** ****** ***** ******* ******** *** authentication *********** ******** ** *** ** *****"

*** ** **** ****** * ****** ** **** ** **** a ********-** *** ** *** **** ****, ****** ***** **** a ****** ** **** **** ** **?

*** ***** ************** ** **** *** **** ****** *** **** WS-Security (***'* **** ***** ***** ** ****, ***** - **** try ********).

**, ** ****** ** ******* *** ** ******* **** (**** & ****) *** ******** **** ******** ************* - ** ** not **********.

***, ****** ***** ** ****://***.*****.***/*******/*/*********/*********/******/********************************.**.***, *.*.* - **** ** *** description ** ********* **** ** ***** **** **** ** **** with ****** ****** **** ********* (*** **** ********* **** - so ****** ******* ********** *********).

****** **** ***** **** ********** ********* ** *.* *** *.*. It **** **** ****** ******** *** *** ******* **** ***'* pass ***** *****. ***** ** ** *** ********** (**** ******** == ******** + ******** *******).

*** ***** ************** ** **** *** **** ****** *** **** WS-Security (***'* **** ***** ***** ** ****, ***** - **** try ********).

*** **** *** **** ** **** *** **************? *** *** saying **** *** ****** *** ** ******* ******* **-********? ** that *** ****** *****'* **** ** *** **?

******. ****** ****** *** **** *** ******. *** ** ****** wants ****-****** - **** **** **.

****** **** **** *.*.*. ** *****: *** ** ********** *** operation **** **** **********. ****** **** ***** ******:

******* ****** - ****** ** *** ***** *************

*** - ****** ****** ****-******

**** ***** - ****** ****** **-********

*** ** ****** ****** *** ****** **** - ****** *** deduce, **** **** ** ************* ** ****** *** *****.

**** ******** *********** (*** ****://***.*****.***/*******/*/*********/**/**************%********************-*.***, ******* *.*), ****** ****** ******* at ***** **-******** (*** ******* ****-******), *** ****** ****** ******* both - ** ****** ** ****** **** ****** ******.

*****, ****** ********* *** ****** *** **** *** *****, **'* helped.

****** ** ** ***** ********** ** **. ***?

******* ** *** ****** **** ******* **-******** *** *** ****** should *** ******* **** ******* (**** *** ****), **** * fail ** *** *** *** ****** ***** **** **** ** use **** ****** ** ***.

*** ** *** ****** *** ****** **** *** ***** *** client ** *** **** ******, ******'* ** ****** *** **** and ******* ***** ***** *** "*********" **-********?

*** *** *******!

*** *** ***** ** ****:

*** ****** **** ******* **-******** *** *** ****** **** ******* both. **** **** *** **** **** ****** *** **** ** particular ************* ** ***.

"****** *******" *** ****** **** **** ****** ****** ********** ****** that ****** **** *** *** **-******** ***/** ** ****** **** provide **-******** **** ****** ** ****. **** **** ********: ****** should ******* **-******** - *** * **** *** ****-******, ***** mean **** ** ****** **** *** ****-****** ***** ** * chance **** ****** **** ****** ** ***** ** ** *** the ***** *** ** ******* ****-******.

"****** *******" *** ****** **** **** ****** *** ****** ** it's *** ** *** ****-******, **-******** ** *******. *** ***** client ****** ****** ******'* ************ (*** *.*.*).

**********: ****** ******* != ****** ***

**. *** ** * ********* *****, ***** * **** **** the ****** **** ******* **** ****, *** *** *** ******* HTTP ******, *** *** **** *** **-******** ** ****** ********** and *********?

** *** ** ** "*** ****** **** ** *** **** Auth", * ***** **** **** ** *** *******, *** * would ****** ** **

"*** ****** **** ** ** **** ** *** **** ****."

*** ** ******, **** ** **** **** ****, *** ** reality * **** ***** *** **** ** *** *** ** the ***** *** **** ** ******** **** ** ** **** servers ** ********.

** ******, ***** ** ******* **** * ***'* ***, ******* not ********** ** *** ** ******.