Loading...
Loading...
Accessing a Redfish resource from a generic client and authentication is not provided on the original request (example, web browsers) the following error is returned and there are no automatic prompts for credentials. { "error": { "code": "Base.1.8.GeneralError", "message": "A general error has occurred. See ExtendedInfo for more information.", "@Message.ExtendedInfo": [ { "@odata.type": "#Message.v1_1_0.Message", "MessageId": "Base.1.8.AccessDenied", "Message": "The authentication credentials included with this request are missing or invalid.", "MessageArgs": [], "MessageArgs@odata.count": 0, "RelatedProperties":[], "RelatedProperties@odata.count": 0, "Severity": "Critical", "Resolution": "Attempt to ensure that the URI is correct and that the service has the appropriate credentials." } ] } }
New Behavior HTTPBasicAuth default value set to Unadvertised . If the initial HTTP request is sent without an authentication header the service does not advertise basic auth in the WWW-Authenticate response header. This prevents automatic prompts or access by generic clients (example, browsers). < HTTP/1.1 401 Unauthorized < Date: Mon, 09 Mar 2026 17:21:26 GMT < Server: Apache Legacy Behavior The HTTPBasicAuth default value set to Enabled . If the initial HTTP request is sent without an authentication header the service advertises basic auth in the WWW-Authenticate response header. This allows automatic prompts or access by generic clients (example, browsers). < HTTP/1.1 401 Unauthorized < Date: Mon, 09 Mar 2026 17:21:57 GMT < Server: Apache < WWW-Authenticate: Basic realm="RedfishService"
Starting in iDRAC9 7.30.10.50 (7.00.00.184 for 14G) and iDRAC10 1.30.10.50 HTTP basic auth default setting has changed to unadvertised (previous default setting Enabled). These changes were made to improve credential security and reduce unintended exposure of HTTP basic authentication in Redfish services. A new configurable control for HTTP basic authentication handling has been introduced in the Redfish AccountService, DMTF property name HTTPBasicAuth . This new property supports three possible values: Unadvertised (new default setting): - The service does not advertise basic in the WWW-Authenticate response header, this prevents automatic prompts or access by generic clients (example, browsers). Enabled : - HTTP basic authentication is enabled and explicitly advertised using the WWW-Authenticate: basic header on 401 unauthorized responses. Disabled : - HTTP basic authentication is completely disabled for the Redfish service, other methods such as X-auth token session (recommended) is required to perform Redfish operations. The HTTP basic auth settings can be configured from Redfish, Web UI, and RACADM iDRAC interfaces. Redfish: - PATCH DMTF property HTTPBasicAuth under AccountService - PATCH OEM attribute Redfish.BasicAuthState under DellAttributesRACADM:- Set OEM attribute iDRAC.Redfish.BasicAuthStateGUI:- iDRAC Settings -> Services -> Redfish -> HTTP Basic Authentication
Click on a version to see all relevant bugs
Dell Integration
Learn more about where this data comes from
BugZero Plan
Streamline upgrades with automated vendor bug scrubs
BugZero Prevent
Wish you caught this bug sooner? Get proactive today.