Desktop client doesn't work with external auth

Nextcloud version: 13.0 / Nextcloud-2.3.3-x86_64.AppImage
Operating system and version: CentOS 7
Apache or nginx version: httpd-2.4.6-67.el7.centos.6.x86_64
PHP version: rh-php71-php-fpm-7.1.8-1.el7.x86_64

The issue you are facing:

Is this the first time you’ve seen this error? Yes

Steps to replicate it:

I am on a fresh installation of NextCloud 13. I’m using FreeIPA for authentication through:

<LocationMatch "^/nextcloud/index.php/(login|apps/user_saml/saml/login)">
  AuthType GSSAPI
  AuthName "Kerberos Login"
  GssapiCredStore keytab:/etc/nextcloud.keytab
  GssapiBasicAuth On
  GssapiLocalName On
  require valid-user
</LocationMatch>

Web works correctly, but the desktop client doesn’t work, I can’t get it to work using an application password. If I curl the URL the URL the desktop client uses:

$ curl https://nextcloud.h2.int.pdp7.net/nextcloud/remote.php/webdav/ -u alex -v
Enter host password for user 'alex':
[...]
* Server auth using Basic with user 'alex'
> GET /nextcloud/remote.php/webdav/ HTTP/1.1
> Host: nextcloud.h2.int.pdp7.net
> Authorization: Basic <base64crud>
[...]
< HTTP/1.1 401 Unauthorized
< Date: Wed, 14 Feb 2018 19:26:35 GMT
< Server: Apache/2.4.6 (CentOS)
< X-Powered-By: PHP/7.1.8
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate
< Pragma: no-cache
< X-Frame-Options: SAMEORIGIN
< X-XSS-Protection: 1; mode=block
< X-Content-Type-Options: nosniff
< X-Robots-Tag: none
< X-Download-Options: noopen
< X-Permitted-Cross-Domain-Policies: none
< Content-Security-Policy: default-src 'none';
* Authentication problem. Ignoring this.
< WWW-Authenticate: Basic realm="Nextcloud"
< Set-Cookie: ocml7o4fwaq9=9lt4e20rbjjc1e1nnho47rn0lj; path=/nextcloud; secure; HttpOnly
< Set-Cookie: oc_sessionPassphrase=NzS1f3mQT9CyDsRN9Ryrq1hjjkAoGHIEk0vj7ri%2BJf1W3bEHmM1ugl6ukdfCqvXGVR8gZUA5VCaERXCGBnC0SJLxkVkzq1rS4COmAbJObtiwqmJkim57THdH34SoQj%2B3; path=/nextcloud; secure; HttpOnly
< Set-Cookie: nc_sameSiteCookielax=true; path=/nextcloud; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax
< Set-Cookie: nc_sameSiteCookiestrict=true; path=/nextcloud; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict
< Transfer-Encoding: chunked
< Content-Type: application/xml; charset=utf-8
< 
<?xml version="1.0" encoding="utf-8"?>
<d:error xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns">
  <s:exception>Sabre\DAV\Exception\NotAuthenticated</s:exception>
  <s:message>No 'Authorization: Basic' header found. Either the client didn't send one, or the server is misconfigured, No 'Authorization: Bearer' header found. Either the client didn't send one, or the server is mis-configured</s:message>
</d:error>
[...]

, which is weird to me because an Authorization header is being sent.

The output of your Nextcloud log in Admin > Logging: Doesn’t seem to show anything

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

<?php
$CONFIG = array (
  'passwordsalt' => '*',
  'secret' => '*',
  'trusted_domains' => 
  array (
    0 => 'localhost',
    1 => 'nextcloud.pdp7.net',
    2 => 'nextcloud.h2.int.pdp7.net',
  ),
  'datadirectory' => '/var/www/html/nextcloud/data',
  'overwrite.cli.url' => 'http://localhost',
  'dbtype' => 'mysql',
  'version' => '13.0.0.14',
  'dbname' => 'nextcloud',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'oc_alex',
  'dbpassword' => '*',
  'installed' => true,
  'instanceid' => '*',
);

The output of your Apache/nginx/system log in /var/log/____:

# tail -f /var/log/httpd/* /var/opt/rh/rh-php71/log/php-fpm/error.log
==> /var/log/httpd/non-default-ssl_access_ssl.log <==
10.42.42.236 - - [14/Feb/2018:19:33:13 +0000] "PROPFIND /nextcloud/remote.php/webdav/ HTTP/1.1" 401 414 "-" "Mozilla/5.0 (Linux) mirall/2.3.3 (build 1) (Nextcloud)"

Just for kicks, tried https://download.nextcloud.com/server/releases/nextcloud-12.0.5.zip and it seems to fail in the same manner.

Yes, this can’t work as the desktop client has no such authentication method. I saw the ownCloud team implement oAuth2 with client version 2.4.0 to take care of that. In this flow the authentication is redirected to the ownCloud server from which it is redirected to wherever you wanna authenticate from and then the client connection is solely in the hands of the server side …
As you write, app passwords are a less beautiful workaround till then.

But that doesn’t work for me. I’ve created an application password for the desktop app, but it doesn’t work; debugging with curl results in the No 'Authorization: Basic' header found message :frowning:

OK, my problem was that proxy_fcgi doesn’t pass the authentication header. I added this to my Apache configuration:

SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1

, following https://stackoverflow.com/a/17490827/26787