>>But you ALWAYS have to do the SOAP method
Is it something from spec, or some experienced-based rule of thumb?
My understanding is a bit different (please refer to Microsoft Word - ONVIF_Core.doc):
- from 5.12.1 there is a clear statement: "A client should not simultaneously supply authentication credentials on both the HTTP level and the WS level. If a server receives a web service request that contains authentication credentials on both the HTTP level and the WS level, it shall first validate the credentials provided on the HTTP layer. If this validation was successful, the server shall finally validate the authentication credentials provided on the WS layer." So, is client supply both - server will validate both (btw, they may be different), but in typical case client should not do so.
- from 5.12.2.3 we can peek definition of access classes. comparing with 5.12.2.4, where default access policy defined, and 8.3.6 (description of GetSystemDateAndTime) command, we can deduce that camera should not ask for credentials if it is using default access policy.
why it may actually asks:
- somebody changed access policy, via web interface or via SetAccessPolicy command (see 8.4.2). you may try reset it via web interface.
- code misprint on camera side (btw, not an issue from ONVIF conformance procedure, as it does not checking access levels).
- code misprint on client side: I seen combinations of clients and servers where client were supplying malformed credentials (like <wsse:Security/> with empty content) and servers treat this not as "no credentials" but "wrong credentials" (even for commands that do not need authentication).