Apache 2.4 "..authentication failure..:Password Mismatch"

Question

I am running Apache 2.4 in Windows Server 2008 R2. I am attempting to password protect a subdirectory and successfully did so in Apache 2.0. After upgrading I took Apache's advice and am attempting to put the authentication config in httpd.config. I am allowing the reading of the password file and everything appears to be in order, but when I test it I get the following error:

[Mon Apr 01 19:58:36.438476 2013] [auth_basic:error] [pid 3984:tid 788] [client xxx.yyy.254.2:49253] AH01617: user master: authentication failure for "/restricted/file.zip": Password Mismatch

However, I know that I am sending the correct password. See below for my config, any comments are helpful.

<Directory "C:/www/mydir/restricted">
    #AllowOverride AuthConfig
    #Order allow,deny
    #Allow from all
    AuthType Basic
    AuthName Restricted
    AuthUserFile "C:/www/mydir/passwords/pass"
    Require valid-user
</Directory>  
<Directory "C:/www/mydir">
    Require all granted
</Directory>  
<VirtualHost *:80>
    ServerAdmin admin@.com
    DocumentRoot "C:/www/mydir"
    ServerName "fakeurl.com"
    ErrorLog "C:/www/mydir/logs/error.log"
    CustomLog "C:/www/mydir/logs/accesslog/access.log" common
</VirtualHost>  
<VirtualHost *:80>
    ServerAdmin admin@.com
    DocumentRoot "C:/www/mydir"
    ServerName "www.fakeurl.com"
    ErrorLog "C:/www/mydir/logs/error.log"
    CustomLog "C:/www/mydir/logs/accesslog/access.log" common
</VirtualHost>

Answer 1

I just had the same issue, was driving me nuts for the last hour. I can confirm that Steve's suggestion to enter the password in the command line works - so in my case "htpasswd -b passwordfile user password" did the trick.

Here is the relevant bug report at Apache.

Answer 2

Did you create your password with 'htpasswd'?

htpasswd in httpd-2.4.4 is broken (https://issues.apache.org/bugzilla/show_bug.cgi?id=54735).

As I understand it, the problem is specific to htpasswd in httpd-2.4.4, and only occurs if you enter the password manually, so you can work around the issue by doing one of:

• supply the password on the command line (e.g. "htpasswd -b .htpasswd user password");
• use the version of htpasswd out of httpd-2.4.3;
• use Digest Authentication instead of Basic Authentication (htdigest isn't affected);
• wait until httpd-2.4.5 is released;
• apply the patch in the bug report (which seems to work) and rebuild htpasswd from source.

Answer 3

If you are using Shibboleth, there is a conflict between mod_shib and basic authentication. You can solve it by using the following Apache directive:

ShibCompatValidUser On

For details, see Shibboleth on Apache 2.4 Using Mixed Authentication Methods