# SIP/2.0 401 未授权：在多次身份验证尝试后对 INVITE 请求的响应

- **ID:** `communication/sip-401-unauthorized-credentials`
- **领域:** communication
- **类别:** auth_error
- **错误码:** `401`
- **验证级别:** ai_generated
- **修复率:** 82%

## 根因

SIP 服务器拒绝 INVITE 请求，因为客户端的摘要凭据（用户名/域/随机数）已过期或配置错误，通常是由于随机数过期或密码哈希错误。

## 版本兼容性

| 版本 | 状态 | 引入 | 弃用 |
|------|------|------|------|
| RFC 3261 | active | — | — |
| Asterisk 18.15.0 | active | — | — |
| FreeSWITCH 1.10.9 | active | — | — |
| Kamailio 5.6.0 | active | — | — |

## 解决方案

1. ```
   Regenerate the SIP digest credentials: update the password in the SIP server (e.g., Asterisk sip.conf) and reconfigure the client with the new secret. Use 'sip reload' in Asterisk to apply changes without restart.
   ```
2. ```
   Force a new nonce by restarting the SIP server process: 'systemctl restart asterisk' or 'sudo freeswitch -stop && sudo freeswitch -start' to clear stale nonce caches.
   ```
3. ```
   Verify the realm matches between client and server: ensure the 'realm' parameter in the client's authentication header matches the server's configured realm (e.g., 'asterisk' or 'sip.example.com').
   ```

## 无效尝试

- **** — Resetting the SIP client's registration timer may cause repeated re-registrations without fixing the underlying credential mismatch, leading to infinite loops. (65% 失败率)
- **** — Disabling authentication entirely (e.g., setting 'auth=no' in Asterisk) is a security risk and not supported in production environments where authentication is mandatory. (90% 失败率)
- **** — Updating the SIP server version without verifying credential compatibility may introduce new digest algorithms (e.g., SHA-256 vs MD5) that the client doesn't support. (70% 失败率)