ONVIF Gurus: Is There a Valid Reason For GetSystemDate To Require Authentication?

I've been working on connecting to a few ONVIF cameras using netcat (don't ask why).

Not too many problems actually, but this one camera an Everfocus EAN-3220 model, is giving a SOAP Sender not authorized message right on the first GetSystemDateAndTime call. And therefore not returning a time for me to hash my nonces with. Even after resetting to defaults.

If I just ignore it...

* *** **** ** ***** **** *** ** *************** **** it's **, *** *'* ****** ** ********** **** *** ***** of *** ***** ********* **. **'* *** * **** *** either.

** ***** * ***** *** **** *** **** ********?

Login to read this IPVM discussion.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

...***** **'* **** ** **** *** ******* *** ****** ************* who ******** ** *** **** **** ****** ************ **** ********** via '*****' *****? ; )

* ***** *** **** ** ****** ** *********?!? *** ****'* ridiculous!

****, ** **** **** *** ******** **** **** ***** **** to *** *** ************* ******* ** ******* ******************* **** ******************* bit ******* ** ****.

***** **** ****'*, *** ** *****'* ******** ** ******.

**** *** *** **** **** ****'** ******* ** ******* ** internet ****** ****** ******* * ****** ** ******* ****** **** attempts ** ******* *** ******************** ****?

**, *** *** ***** **** ** ******* **** ***** *** it ***** ****.

*** ******** ****** **** ******* **** ** *** ****** ***** it **** ******* *** ****** ****. ** ******** **** ** fails, ** **** ** ********* * **** ****** ****** ***** it ******** *** ***** ***** ******** ***** *******. ** *** would ***** ** **** **** ** * ****** ** ****.

*** ***** ****'* ****** ** ***** ** ** **** * wouldn't **** * **** ***** ******* *** ****/**** ****** **** you **** ** ** *** ********** **** * ********* ****** together **** *** ******** ********, *** ** *** ********* ** the ********** ** *** ** **** **** * *******, *** camera **** ****** **.

*** ***** **'* ******** **'* **** **** ** ******* ** something. ****** *** *********!

* ***** * ******** ******* ********* **** ******* ******************** ****** are ******* ********* *** *** ******* *** ***** **** ******** functionality. ******* *** ********* ********** **** ******* **** **** ****** be * ************ *** **************. ********* ****** ******** ** ** Everfocus *** ********** ** *** ****** *** ****** **** ********** insight.

*'* *** ****. * *** ********* ** ********** ** ***** Device ******* *** *** ********* **** ** *********. ******* ** the ***** * *** **** ** ****** *** ******* ******* several ***** *** *** *** **** ***** * ***, ***** was **********.

*** ** **** ***** ** ** ******* ******* **** *************** and **** ****'* **** ****, *** **** ** **** **** from *****. ** * *** *** ****, *** *** ****** happy ***** ****** *** *** ** **** ****.

********* *** **** ***** ******** ******** **** ***** ****** *********. They ****** **** **** ******************* *** ****************** ***** *** ** true, ***** ***** **** ****** ****** ** *** ** *****. This ***** **** *** **** ** **** ****** *** ***** snapshot *** *******, **** ****** ** ******* *** **** ***. If *** ***'* *** *** * ***.

******************** ****** *** ******* ************** ** ***. *** ****://***.*********.***/*****/*****/********-***-**********************'*******.***

******.

******* **'* *** ***** *** ******, **** ***'* **** *** lock **** **** ******, ** * ** ******** ***** ***** was **** ******.

***, ** **** ******* ****-****** *** ************** (** *********** *** that ** *** **** *********)? ********** ******* ******** ** (****** ******* ******). ** **** **** ***** ***** module ** **** *** ** *** ******* (**: ****://***.***.*.***:**/***-***/*************.*** ** http://192.168.0.126:80/cgi-bin/eventOvf.cgi) - ** ***** **** ******* ** **** ********.

**, ***** **** ****** *** *** **** ****** **************. ***** than **** *** ***** **** ** **** *** *** **** digest ******* ***** ****** *** ********* ** *** ** *** httpd ***, ** ********* *** **** ** ** ****. *** you ****** **** ** ** *** **** ******, ** *** method ******** ****.

>>*** *** ****** **** ** ** *** **** ******

** ** ********* **** ****, ** **** ***********-***** **** ** thumb?

** ************* ** * *** ********* (****** ***** ** ****://***.*****.***/*****/****/*****-****-*************-****.***):

- **** *.**.* ***** ** * ***** *********: "* ******should *** ************** ****** authentication credentials on both the HTTP level and the WS level. If a server receives a web service request that contains authentication credentials on both the HTTP level and the WS level, it shall first validate the credentials provided on the HTTP layer. If this validation was successful, the server shall finally validate the authentication credentials provided on the WS layer." So, is client supply both - server will validate both (btw, they may be different), but in typical case client should not do so.

- **** *.**.*.* ** *** **** ********** ** ****** *******. comparing **** *.**.*.*, ***** ******* ****** ****** *******, *** *.*.* (description ** ********************) *******, ** *** ****** **** ****** ****** not *** *** ***********if ** ** ***** ******* ****** ******.

*** ** *** ******** ****:

- ******** ******* ****** ******, *** *** ********* ** *** SetAccessPolicy ******* (*** *.*.*). *** *** *** ***** ** *** web *********.

- **** ******** ** ****** **** (***, *** ** ***** from ***** *********** *********, ** ** **** *** ******** ****** levels).

- **** ******** ** ****** ****: * **** ************ ** clients *** ******* ***** ****** **** ********* ********* *********** (**** **** ***** *******) *** ******* ***** **** *** ** "no ***********" *** "***** ***********" (**** *** ******** **** ** not **** **************).

"* ****** ****** *** ************** ****** ************** *********** ** **** the **** ***** *** *** ** *****. ** * ****** receives * *** ******* ******* **** ******** ************** *********** ** both *** **** ***** *** *** ** *****, ** ***** first ******** *** *********** ******** ** *** **** *****. ** this ********** *** **********, *** ****** ***** ******* ******** *** authentication *********** ******** ** *** ** *****"

*** ** **** ****** * ****** ** **** ** **** a ********-** *** ** *** **** ****, ****** ***** **** a ****** ** **** **** ** **?

*** ***** ************** ** **** *** **** ****** *** **** WS-Security (***'* **** ***** ***** ** ****, ***** - **** try ********).

**, ** ****** ** ******* *** ** ******* **** (**** & ****) *** ******** **** ******** ************* - ** ** not **********.

***, ****** ***** ** ****://***.*****.***/*******/*/*********/*********/******/********************************.**.***, *.*.* - **** ** *** description ** ********* **** ** ***** **** **** ** **** with ****** ****** **** ********* (*** **** ********* **** - so ****** ******* ********** *********).

****** **** ***** **** ********** ********* ** *.* *** *.*. It **** **** ****** ******** *** *** ******* **** ***'* pass ***** *****. ***** ** ** *** ********** (**** ******** == ******** + ******** *******).

*** ***** ************** ** **** *** **** ****** *** **** WS-Security (***'* **** ***** ***** ** ****, ***** - **** try ********).

*** **** *** **** ** **** *** **************? *** *** saying **** *** ****** *** ** ******* ******* **-********? ** that *** ****** *****'* **** ** *** **?

******. ****** ****** *** **** *** ******. *** ** ****** wants ****-****** - **** **** **.

****** **** **** *.*.*. ** *****: *** ** ********** *** operation **** **** **********. ****** **** ***** ******:

******* ****** - ****** ** *** ***** *************

*** - ****** ****** ****-******

**** ***** - ****** ****** **-********

*** ** ****** ****** *** ****** **** - ****** *** deduce, **** **** ** ************* ** ****** *** *****.

**** ******** *********** (*** ****://***.*****.***/*******/*/*********/**/**************%********************-*.***, ******* *.*), ****** ****** ******* at ***** **-******** (*** ******* ****-******), *** ****** ****** ******* both - ** ****** ** ****** **** ****** ******.

*****, ****** ********* *** ****** *** **** *** *****, **'* helped.

****** ** ** ***** ********** ** **. ***?

******* ** *** ****** **** ******* **-******** *** *** ****** should *** ******* **** ******* (**** *** ****), **** * fail ** *** *** *** ****** ***** **** **** ** use **** ****** ** ***.

*** ** *** ****** *** ****** **** *** ***** *** client ** *** **** ******, ******'* ** ****** *** **** and ******* ***** ***** *** "*********" **-********?

*** *** *******!

*** *** ***** ** ****:

*** ****** **** ******* **-******** *** *** ****** **** ******* both. **** **** *** **** **** ****** *** **** ** particular ************* ** ***.

"****** *******" *** ****** **** **** ****** ****** ********** ****** that ****** **** *** *** **-******** ***/** ** ****** **** provide **-******** **** ****** ** ****. **** **** ********: ****** should ******* **-******** - *** * **** *** ****-******, ***** mean **** ** ****** **** *** ****-****** ***** ** * chance **** ****** **** ****** ** ***** ** ** *** the ***** *** ** ******* ****-******.

"****** *******" *** ****** **** **** ****** *** ****** ** it's *** ** *** ****-******, **-******** ** *******. *** ***** client ****** ****** ******'* ************ (*** *.*.*).

**********: ****** ******* != ****** ***

**. *** ** * ********* *****, ***** * **** **** the ****** **** ******* **** ****, *** *** *** ******* HTTP ******, *** *** **** *** **-******** ** ****** ********** and *********?

** *** ** ** "*** ****** **** ** *** **** Auth", * ***** **** **** ** *** *******, *** * would ****** ** **

"*** ****** **** ** ** **** ** *** **** ****."

*** ** ******, **** ** **** **** ****, *** ** reality * **** ***** *** **** ** *** *** ** the ***** *** **** ** ******** **** ** ** **** servers ** ********.

** ******, ***** ** ******* **** * ***'* ***, ******* not ********** ** *** ** ******.