11

I am running Apache 2.4 in Windows Server 2008 R2. I am attempting to password protect a subdirectory and successfully did so in Apache 2.0. After upgrading I took Apache's advice and am attempting to put the authentication config in httpd.config. I am allowing the reading of the password file and everything appears to be in order, but when I test it I get the following error:

[Mon Apr 01 19:58:36.438476 2013] [auth_basic:error] [pid 3984:tid 788] [client xxx.yyy.254.2:49253] AH01617: user master: authentication failure for "/restricted/file.zip": Password Mismatch

However, I know that I am sending the correct password. See below for my config, any comments are helpful. 

<Directory "C:/www/mydir/restricted">
    #AllowOverride AuthConfig
    #Order allow,deny
    #Allow from all
    AuthType Basic
    AuthName Restricted
    AuthUserFile "C:/www/mydir/passwords/pass"
    Require valid-user
</Directory>  
<Directory "C:/www/mydir">
    Require all granted
</Directory>  
<VirtualHost *:80>
    ServerAdmin admin@.com
    DocumentRoot "C:/www/mydir"
    ServerName "fakeurl.com"
    ErrorLog "C:/www/mydir/logs/error.log"
    CustomLog "C:/www/mydir/logs/accesslog/access.log" common
</VirtualHost>  
<VirtualHost *:80>
    ServerAdmin admin@.com
    DocumentRoot "C:/www/mydir"
    ServerName "www.fakeurl.com"
    ErrorLog "C:/www/mydir/logs/error.log"
    CustomLog "C:/www/mydir/logs/accesslog/access.log" common
</VirtualHost>
RichieD
  • 160
  • 7
user1991179
  • 573
  • 3
  • 8
  • 25

4 Answers4

26

I just had the same issue, was driving me nuts for the last hour. I can confirm that Steve's suggestion to enter the password in the command line works - so in my case "htpasswd -b passwordfile user password" did the trick.

Here is the relevant bug report at Apache.

Eddy
  • 384
  • 2
  • 5
  • 2
    Instead of duplicating an answer, it would have been better to simply vote or comment on Steve's. – Nick M Jul 04 '14 at 02:09
  • 6
    @NickM I agree, a comment would have been more appropriate. Unfortunately I didn't have enough credit at the time to comment in StackOverflow and felt it would be good to add the actual command that worked for me and a link to the bug report. – Eddy Sep 20 '14 at 11:55
21

Did you create your password with 'htpasswd'?

htpasswd in httpd-2.4.4 is broken (https://issues.apache.org/bugzilla/show_bug.cgi?id=54735).

As I understand it, the problem is specific to htpasswd in httpd-2.4.4, and only occurs if you enter the password manually, so you can work around the issue by doing one of:

  • supply the password on the command line (e.g. "htpasswd -b .htpasswd user password");
  • use the version of htpasswd out of httpd-2.4.3;
  • use Digest Authentication instead of Basic Authentication (htdigest isn't affected);
  • wait until httpd-2.4.5 is released;
  • apply the patch in the bug report (which seems to work) and rebuild htpasswd from source.
Nick M
  • 1,647
  • 13
  • 17
Mordac The Preventer
  • 330
  • 1
  • 5
  • 3
    Thanks - this was driving me nuts for an hour. Simple regressions like this in such a mature application are just inexcusable. :-( – Andy Lee Robinson May 21 '13 at 08:40
  • It took me so long to think about googling this as a possible issue as my thoughts were the same as @AndyLeeRobinson that "Simple regressions like this in such a mature application are just inexcusable" – Nick M Jul 04 '14 at 02:08
0

If you are using Shibboleth, there is a conflict between mod_shib and basic authentication. You can solve it by using the following Apache directive:

ShibCompatValidUser On

For details, see Shibboleth on Apache 2.4 Using Mixed Authentication Methods

Ortomala Lokni
  • 56,620
  • 24
  • 188
  • 240
0

I have got same situation on Apache/2.4.6 (CentOS)

None of above solved the problem Path to htpasswd is correct from $_SERVER['DOCUMENT_ROOT'];

OK maybe some will find it helpfull, I have solved by: htpasswd -nb username newpassw > <path-to>/htpasswd

btw in Apache 2.4.6 on CentOS 7 problem still exists

ButcherFromHell
  • 78
  • 7