"AH" == Alfred E Heggestad aeh@db.org writes:
AH> 1. Multiple SIP-servers are deployed for the same domain
AH> 2. The DNS is configured with SRV-records for load balancing, AH> example: (lets call the domain "example.com")
AH> 3. when a SIP client registers, it resolves the domain using RFC3263 [1] AH> and the first REGISTER request is sent to SIP-Server #1
AH> 4. SIP-server #1 replies with 401 containing the authentication challenge
AH> 5. The SIP Client adds the authentication header to the REGISTER AH> request and re-sends it, but this time also using RFC 3263, and due AH> to DNS rotation the request is sent to SIP-Server #2
AH> 6. Now, because the SIP-Servers are configured with _different_ AH> secrets in the "auth" module [2], the REGISTER request AH> fails with authentication error.
I don't see how that can ever work.
Every uac I've used took a single name/passwd tuple for a given target.
Does blink do something different? How can you specify that it should use different credentials depending on which srv target it happens to follow?
In every scenario I've looked at, all of the load-balanced backend servers have to have a shared credential store of some sort, such as a replicated sql or ldap cluster, to hold the users' creds, so the digest (in sip's case) should work on any backend server.
-JimC