SIP/2.0 401 未授权:在多次身份验证尝试后对 INVITE 请求的响应
SIP/2.0 401 Unauthorized on INVITE request after multiple authentication attempts
ID: communication/sip-401-unauthorized-credentials
版本兼容性
| 版本 | 状态 | 引入 | 弃用 | 备注 |
|---|---|---|---|---|
| RFC 3261 | active | — | — | — |
| Asterisk 18.15.0 | active | — | — | — |
| FreeSWITCH 1.10.9 | active | — | — | — |
| Kamailio 5.6.0 | active | — | — | — |
根因分析
SIP 服务器拒绝 INVITE 请求,因为客户端的摘要凭据(用户名/域/随机数)已过期或配置错误,通常是由于随机数过期或密码哈希错误。
English
SIP server rejects INVITE because the client's digest credentials (username/realm/nonce) are stale or misconfigured, often due to nonce expiration or incorrect password hash.
官方文档
https://wiki.asterisk.org/wiki/display/AST/SIP+Configuration解决方案
-
Regenerate the SIP digest credentials: update the password in the SIP server (e.g., Asterisk sip.conf) and reconfigure the client with the new secret. Use 'sip reload' in Asterisk to apply changes without restart.
-
Force a new nonce by restarting the SIP server process: 'systemctl restart asterisk' or 'sudo freeswitch -stop && sudo freeswitch -start' to clear stale nonce caches.
-
Verify the realm matches between client and server: ensure the 'realm' parameter in the client's authentication header matches the server's configured realm (e.g., 'asterisk' or 'sip.example.com').
无效尝试
常见但无效的做法:
-
65% 失败
Resetting the SIP client's registration timer may cause repeated re-registrations without fixing the underlying credential mismatch, leading to infinite loops.
-
90% 失败
Disabling authentication entirely (e.g., setting 'auth=no' in Asterisk) is a security risk and not supported in production environments where authentication is mandatory.
-
70% 失败
Updating the SIP server version without verifying credential compatibility may introduce new digest algorithms (e.g., SHA-256 vs MD5) that the client doesn't support.