Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Level 1

8 points

Recurring CalDAV login issues with iPhones and SLS (10.6 Server)

I have 10.6.4 Snow Leopard Server running on a Mac Mini and am having intermittent problems with various iPhones logging into CalDAV calendars. The iPhones are a 3G running iOS 3.1.3 and a 3GS running iOS 4.1.

iCal server works perfectly, with Push, on desktop clients.

The iPhones do work occasionally. Push is still not possible (AFAIK) but 15 minute fetch interval is acceptable for now (when is push coming to iPhones btw?). However, a few times per week, sometimes as many as 5 times in a single day, the iPhone will report "Password Incorrect." This happens on its on, presumably after one of the fetch intervals. Re-entering the password usually works, and is stored correctly for hours or days, but eventually it happens again. Sometimes password is accepted after re-entry but sync will silently stop working, which is even worse than the error popping up.

Each iPhone has 3 CalDAV accounts, one of which is a delegate, one of which is shared by all. The password issue happens with all of them, but far more often with the shared account. The password incorrect prompt does NOT always happen with all of them at once, sometimes just one of the accounts will throw the login error and the others will work for a while.

On the server, iCal has Authentication set to "any method", port 8008 and SSL on, Port 8443

The iPhones connect to CalDAV with SSL on port 8443 using "server" set to server.companyname.com

I have deleted the Calendar accounts on the phones repeatedly, hardware reset the phones, deleted all data and set up accounts again. This fixes the problem for a few days but then it comes back.

I don't see much in the iCal server logs, but I might not know what to look for. What should I look for or try next?

Thanks for any help.

Mac Mini 2Ghz Intel Core 2 Duo, 4GB RAM, Mac OS X (10.6.4)

Posted on Oct 13, 2010 12:58 PM

151 replies

Dec 9, 2010 7:01 AM in response to josephcorbett

Some may otherwise and advise a host of text editors, but if you're a noon and this is you're first shot at editing a plist the install the plist editor from the Xcode package. If you look on the osx server install disc you'll find something like other packages or installs. Install Xcode, will take a bit of space but when you're done search through the developer folder the instalation creates in the root of your drive, won't take long to find plist editor. Much easier for first time editing of plists, just remember you will need to changes some privileges on the files you are editing.

Good luck!

Dec 9, 2010 7:47 AM in response to thatwilson

Thanks so much I really appreciate it! Quick question... When I'm done make my changes is it part of best practices to change the permissions back to what they where before starting this process?

Dec 9, 2010 8:26 AM in response to josephcorbett

I would so be sure you know what they were!

apullen

Level 1

0 points

Dec 9, 2010 9:30 AM in response to josephcorbett

Here's a good step-by-step of what to do, without any Terminal kung-fu. Hope it helps!

1. Make sure the server only accepts encrypted (SSL) traffic by checking the box (if not already checked) in Server Admin->Open Directory->Settings->Policies->Binding->Encrypt all packets. This requires that your server use SSL authentication.
2. Mount the folder the plist file is in by clicking on Finder, the Go menu, then Go to Folder. Type in /etc/caldavd/ and click Go.
3. Copy the file from the original folder to the Desktop, just in case something goes wonky.
4. Open the plist file. You can download Xcode as thatwilson suggested, and TextEdit works fine too.
5. Edit the configuration settings for Basic and Digest. The section needing editing should look like this:

<key>Authentication</key>
<dict>
<key>Basic</key>
<dict>
<key>Enabled</key>
<true/>
</dict>
<key>Digest</key>
<dict>
<key>Algorithm</key>
<string>md5</string>
<key>Enabled</key>
<false/>

6. Save the file. Most likely, you'll not be able to write the file anywhere, since authentication for the file might be locked. When this happens, click the plist file and click File->Get Info. This should present you with a window where at the bottom you can edit authentication settings for the file. Click the little lock icon, enter your password, click the + button and add your user. If you end up not being able to write in the caldavd folder, Control+Click on the folder icon at the top of the Finder window and select the etc folder. When you do that it will take you to /etc/ where you'll be able to find the /etc/caldavd/ folder. Then you'll be able to do the same Get Info thing on the folder. Man, that looks confusing... I hope that makes sense.

Dec 9, 2010 9:46 AM in response to apullen

I'm incredibly grateful to you and the rest of the people on this thread for helping out. I'm going to implement this solution over the weekend. You all should have a warm an fuzzy feeling for taking the time to help out a guy that has to wear many hats in a small business and is therefore overextended and sometimes under qualified. Happy Holidays to you and yours! Will report back with the results.

apullen

Level 1

0 points

Dec 9, 2010 9:55 AM in response to josephcorbett

I understand... I'm there, too! Glad we could all help!

And I feel the same toward everyone... you guys are all more helpful than calling Apple Support (even though some of you may be Apple Support!). Anyway, thanks.

Dec 10, 2010 3:15 PM in response to apullen

Is there anywhere in one of the logs to verify that users are in fact using the basic authentication method and not something else? I'd like to check it every so often to be sure the plist has not changed back because I've changed something in the GUI or because SLS has a bunch of other bugs that I'm unaware of.

Dec 11, 2010 11:18 AM in response to e.f.

Same here for me:
iPads and iPhones had to login sometimes.
Setup Basic to true and Digest to false and until now no new password questions.

BTW. it is a shame how SLS and iOS collaborate - why does iOS still not supports push with SLS

That makes me very upset.

Bye,
eweri

Dec 11, 2010 3:17 PM in response to Christoph Ewering1

Quick update...

I made the changes to CalDAV 24hrs ago and everything is working perfectly... But only With CalDAV. This morning one of my users sent me a screen cap showing me a pop up for CardDAV requesting the password. Long story short I applied the same solution in the carddav plist and I'm hoping for the best, I don't see why it wouldn't work. I recommend doing the same even if you don't see the error because the bug may cause your devices and user data to get out of sync. Take my word for it manually adding Contact cards that aren't syncing is not fun.

Dec 15, 2010 11:28 AM in response to josephcorbett

The saga continues... The error cropped up and this time it wouldn't even take my password... I was actually watching the logs when this was happening and here is the difference between a failed attempt and a good attempt, note to allow myself to log in again I had to restart ical server... This bug me thinks is 100% server based. Not iOS.

98.218.234.65 - - [15/Dec/2010:13:57:28 -0400] "PROPFIND /calendars/ _uids_/64099FDF-4E48-4013-A33D-52A1D69DC6FC/ HTTP/1.1" 401 141 "-" "DAVKit/5.0 (767); iCalendar/5.0 (79); iPhone/4.2.1 8C148" i=8444 t=7.4 or=1

98.218.234.65 - joe [15/Dec/2010:14:01:02 -0400] "PROPFIND /calendars/ _uids_/64099FDF-4E48-4013-A33D-52A1D69DC6FC/ HTTP/1.1" 207 23443 "-" "DAVKit/5.0 (767); iCalendar/5.0 (79); iPhone/4.2.1 8C148" i=8444 t=180.0 or=2 responses=7

The most interesting difference is the lack of my user name in the failed attempt. - - vs - joe

Thoughts? Hosted exchange or Google Apps? 😟

wsanchez

Level 1

15 points

Dec 15, 2010 11:47 AM in response to josephcorbett

There is no failed attempt in these two requests. The first is response to an unauthenticated request which correctly asks for authentication (401) and the second is a successful (2xx) response.

A failed authentication will have your username in the line with the 401 response, and that would mean that your OD server said your password isn't valid. A hiccup in OD might cause this to happen spuriously, and a series of these means that your password is wrong or something is weird about your OD setup. But neither is suggested by these two log lines.

Dec 15, 2010 11:58 AM in response to wsanchez

I follow what you're saying and it makes sense. I was just pointing out that each time I typed my password into my iphone (correctly mind you) i would see the server log produce the first message. When I finaly restarted the calendar server I worked on the first try and produced the second message which is normal. WHy would there be a lack of a user name?

wsanchez

Level 1

15 points

Dec 15, 2010 12:07 PM in response to josephcorbett

The lack of username in the first request is part of the HTTP protocol; that's just how it works. It's how the server tells the client that it requires authentication. The client tries something without authentication ("no username") and then the server says it requires auth (status 401), and which types are supported (in headers), then the client repeats the request with auth info ("with username").

Xalio

Level 1

0 points

Dec 16, 2010 1:29 PM in response to e.f.

The authentification tip doesn't work for me.

In the first time my users didn't received anything and now it's more than before.

Long story short I restore my old .plist file and I looking for some other solution.

Mike JM

Level 1

0 points

Dec 20, 2010 9:39 PM in response to Xalio

Wsanchez, your fix here works perfectly. Running successfully now for two weeks without issue. Thank you!

Recurring CalDAV login issues with iPhones and SLS (10.6 Server)