IPCamera - Forbidden: Check camera setup or has the camera activated the illegal login lock?

Hey @matt1,

I’ve been running your binding for many years now (since OH 2.3), thank you for doing what you do. My HikVision DVR just died so I replaced it (iDS-7208HUHI-M1 / S) and everything is working fine but I’m getting these errors non stop below.

I don’t have a “Disabling Illegal Login Lock” option on the DVR. The camera’s are hard wired to the DVR, so they don’t have that option either.

I didn’t change ANY of the camera THING settings either and its working just fine.

2024-02-08 07:55:01.437 [WARN ] [enhab.binding.ipcamera.internal.MyNettyAuthHandler] - 403 Forbidden: Check camera setup or has the camera activated the illegal login lock?
2024-02-08 07:55:05.475 [WARN ] [enhab.binding.ipcamera.internal.MyNettyAuthHandler] - 403 Forbidden: Check camera setup or has the camera activated the illegal login lock?
2024-02-08 07:55:05.895 [WARN ] [enhab.binding.ipcamera.internal.MyNettyAuthHandler] - 403 Forbidden: Check camera setup or has the camera activated the illegal login lock?
2024-02-08 07:55:09.417 [WARN ] [enhab.binding.ipcamera.internal.MyNettyAuthHandler] - 403 Forbidden: Check camera setup or has the camera activated the illegal login lock?
2024-02-08 07:55:13.272 [WARN ] [enhab.binding.ipcamera.internal.MyNettyAuthHandler] - 403 Forbidden: Check camera setup or has the camera activated the illegal login lock?
2024-02-08 07:55:13.696 [WARN ] [enhab.binding.ipcamera.internal.MyNettyAuthHandler] - 403 Forbidden: Check camera setup or has the camera activated the illegal login lock?

UID: ipcamera:hikvision:2df5aa8a86
label: CAM - Back Door
thingTypeUID: ipcamera:hikvision
configuration:
  mjpegOptions: -q:v 5 -r 2 -vf scale=640:-2 -update 1
  ipAddress: 192.168.0.11
  updateImageWhen: "0"
  gifPreroll: 0
  onvifPort: 81
  ffmpegLocation: /usr/bin/ffmpeg
  serverPort: 81
  ffmpegOutput: /var/lib/openhab/cameras/camera5/
  ipWhitelist: DISABLE
  mp4OutOptions: -c:v copy -c:a copy
  pollTime: 1000
  password: ABC123
  port: 81
  snapshotUrl: http://192.168.0.11:81/ISAPI/Streaming/channels/501/picture
  nvrChannel: 5
  snapshotOptions: -an -vsync vfr -q:v 2 -update 1
  ptzContinuous: false
  onvifMediaProfile: 0
  ffmpegInput: rtsp://192.168.0.11:554/ISAPI/Streaming/channels/501
  gifOutOptions: -r 2 -filter_complex
    scale=-2:360:flags=lanczos,setpts=0.5*PTS,split[o1][o2];[o1]palettegen[p];[o2]fifo[o3];[o3][p]paletteuse
  hlsOutOptions: -strict -2 -f lavfi -i aevalsrc=0 -acodec aac -vcodec copy
    -hls_flags delete_segments -hls_time 2 -hls_list_size 4
  username: openhab
channels:
  - id: startStream
    channelTypeUID: ipcamera:startStream
    label: Start HLS Stream
    description: Lower the delay to start casting the camera by creating the files
      non stop in case they are needed.
    configuration: {}
  - id: pollImage
    channelTypeUID: ipcamera:pollImage
    label: Poll Image
    description: This can be used to trigger snapshot updates when an external PIR,
      button or other form of sensor turns this channel ON.
    configuration: {}
  - id: image
    channelTypeUID: ipcamera:image
    label: Image
    description: Low frame rate image from your camera. Recommend this is NOT used
      unless you have large pollTime.
    configuration: {}
  - id: recordingGif
    channelTypeUID: ipcamera:recordingGif
    label: GIF Recording
    description: Indicates how long the recording will occur for and when the file
      is created, the channel will change to 0 by itself.
    configuration: {}
  - id: gifHistory
    channelTypeUID: ipcamera:gifHistory
    label: GIF History
    description: A history of the last GIFs created in a CSV formatted string.
    configuration: {}
  - id: gifHistoryLength
    channelTypeUID: ipcamera:gifHistoryLength
    label: GIF History Length
    description: How many GIFs are stored in the history.
    configuration: {}
  - id: recordingMp4
    channelTypeUID: ipcamera:recordingMp4
    label: MP4 Recording
    description: Indicates how long the recording will occur for and when the file
      is created, the channel will change to 0 by itself.
    configuration: {}
  - id: mp4History
    channelTypeUID: ipcamera:mp4History
    label: MP4 History
    description: A history of the last mp4 recordings created in a CSV formatted string.
    configuration: {}
  - id: mp4HistoryLength
    channelTypeUID: ipcamera:mp4HistoryLength
    label: MP4 History Length
    description: How many mp4 recordings are stored in the history.
    configuration: {}
  - id: lastMotionType
    channelTypeUID: ipcamera:lastMotionType
    label: Last Motion Type
    description: A string that contains the type of motion alarm that was last triggered.
    configuration: {}
  - id: ffmpegMotionControl
    channelTypeUID: ipcamera:ffmpegMotionControl
    label: Control FFmpeg Motion Alarm
    description: Enable/Disable the motion alarm and control the sensitivity.
    configuration: {}
  - id: ffmpegMotionAlarm
    channelTypeUID: ipcamera:ffmpegMotionAlarm
    label: FFmpeg Motion Alarm
    description: FFmpeg has detected motion.
    configuration: {}
  - id: enableMotionAlarm
    channelTypeUID: ipcamera:enableMotionAlarm
    label: Enable Motion Alarm
    description: By using this feature you can stop the camera from sending e-mails
      when you are actually home.
    configuration: {}
  - id: motionAlarm
    channelTypeUID: ipcamera:motionAlarm
    label: Motion Alarm
    description: Motion has been detected.
    configuration: {}
  - id: externalMotion
    channelTypeUID: ipcamera:externalMotion
    label: External Motion
    description: Use any external sensor like a ZWave PIR sensor to flag that the
      camera has motion in its field of view.
    configuration: {}
  - id: enablePirAlarm
    channelTypeUID: ipcamera:enablePirAlarm
    label: Enable PIR Alarm
    description: Enable/Disable the PIR Alarm.
    configuration: {}
  - id: pirAlarm
    channelTypeUID: ipcamera:pirAlarm
    label: PIR Alarm
    description: PIR motion has been detected.
    configuration: {}
  - id: enableLineCrossingAlarm
    channelTypeUID: ipcamera:enableLineCrossingAlarm
    label: Enable Line Crossing Alarm
    description: By using this feature you can stop the camera from sending e-mails
      when you are actually home.
    configuration: {}
  - id: lineCrossingAlarm
    channelTypeUID: ipcamera:lineCrossingAlarm
    label: Line Crossing Alarm
    description: Motion has been detected.
    configuration: {}
  - id: itemLeft
    channelTypeUID: ipcamera:itemLeft
    label: Item Left Alarm
    description: An item has been left.
    configuration: {}
  - id: itemTaken
    channelTypeUID: ipcamera:itemTaken
    label: Item Taken Alarm
    description: An item may have been stolen.
    configuration: {}
  - id: faceDetected
    channelTypeUID: ipcamera:faceDetected
    label: Face Detected Alarm
    description: A face has been detected.
    configuration: {}
  - id: enableFieldDetectionAlarm
    channelTypeUID: ipcamera:enableFieldDetectionAlarm
    label: Enable Field Alarm
    description: By using this feature you can stop the camera from sending e-mails
      when you are actually home.
    configuration: {}
  - id: fieldDetectionAlarm
    channelTypeUID: ipcamera:fieldDetectionAlarm
    label: Field Alarm
    description: Intrusion has detected movement. AKA Field Detection Alarm.
    configuration: {}
  - id: enableAudioAlarm
    channelTypeUID: ipcamera:enableAudioAlarm
    label: Enable Audio Alarm
    description: By using this feature you can stop the camera from sending e-mails
      when you are having a party.
    configuration: {}
  - id: audioAlarm
    channelTypeUID: ipcamera:audioAlarm
    label: Audio Alarm
    description: Audio has triggered an Alarm.
    configuration: {}
  - id: activateAlarmOutput
    channelTypeUID: ipcamera:activateAlarmOutput
    label: Alarm Output 1 ON/OFF
    description: You can use the cameras output to trigger a device like a burglar alarm.
    configuration: {}
  - id: enableExternalAlarmInput
    channelTypeUID: ipcamera:enableExternalAlarmInput
    label: Enable Alarm Input 1
    description: Turn the External Alarm Input feature on and off.
    configuration: {}
  - id: triggerExternalAlarmInput
    channelTypeUID: ipcamera:triggerExternalAlarmInput
    label: Alarm In 1 TRIGGER high ON/low OFF
    description: Change the External Alarm Input to trigger on high or low states.
    configuration: {}
  - id: externalAlarmInput
    channelTypeUID: ipcamera:externalAlarmInput
    label: Alarm Input 1
    description: Some cameras have alarm input wires which can be used to connect to
      door bells or external PIR sensors.
    configuration: {}
  - id: textOverlay
    channelTypeUID: ipcamera:textOverlay
    label: Text Overlay
    description: Enter some text you wish to overlay on top of the cameras snapshot
      and video streams.
    configuration: {}
  - id: pan
    channelTypeUID: ipcamera:pan
    label: Pan
    description: Pan the camera to a new position.
    configuration: {}
  - id: tilt
    channelTypeUID: ipcamera:tilt
    label: Tilt
    description: Tilt the camera to a new position.
    configuration: {}
  - id: zoom
    channelTypeUID: ipcamera:zoom
    label: Zoom
    description: Zoom the camera to a new value.
    configuration: {}
  - id: gotoPreset
    channelTypeUID: ipcamera:gotoPreset
    label: Go To Preset
    description: Move a P.T.Z camera to this ONVIF preset location.
    configuration: {}
  - id: mjpegUrl
    channelTypeUID: ipcamera:mjpegUrl
    label: MJPEG URL
    description: A link you can use in openHAB/HABpanel to fetch a MJPEG video feed
      from the camera.
    configuration: {}
  - id: rtspUrl
    channelTypeUID: ipcamera:rtspUrl
    label: RTSP URL
    description: A link that the camera uses for RTSP.
    configuration: {}
  - id: imageUrl
    channelTypeUID: ipcamera:imageUrl
    label: Image URL
    description: A link you can use to fetch a static image from the camera.
    configuration: {}
  - id: hlsUrl
    channelTypeUID: ipcamera:hlsUrl
    label: HLS URL
    description: A link you can use in openHAB to cast video feeds.
    configuration: {}

@matt1,

Here’s the TRACE. Shows 401 for each camera. Then it pulls the image fine after the 401s.

2024-02-08 08:55:42.513 [TRACE] [openhab.binding.ipcamera.internal.HikvisionHandler] - HTTP Result back from camera is 	:<!DOCTYPE html>
<head>
    <title>Unauthorized</title>
    <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon">
</head>
<body>
<h2>Access Error: 401 -- Unauthorized</h2>
<pre></pre>
</body>
</html>
:
2024-02-08 08:55:42.525 [TRACE] [openhab.binding.ipcamera.internal.HikvisionHandler] - HTTP Result back from camera is 	:<?xml version="1.0" encoding="UTF-8" ?>
<IOPortStatus version="1.0" xmlns="http://www.hikvision.com/ver20/XMLSchema">
<ioPortID>5</ioPortID>
<ioPortType>input</ioPortType>
<ioState>inactive</ioState>
</IOPortStatus>
:
2024-02-08 08:55:42.648 [WARN ] [enhab.binding.ipcamera.internal.MyNettyAuthHandler] - 403 Forbidden: Check camera setup or has the camera activated the illegal login lock?
2024-02-08 08:55:42.648 [TRACE] [openhab.binding.ipcamera.internal.HikvisionHandler] - HTTP Result back from camera is 	:<?xml version="1.0" encoding="UTF-8" ?>
<ResponseStatus version="1.0" xmlns="http://www.hikvision.com/ver20/XMLSchema">
<requestURL>/ISAPI/Event/notification/alertStream</requestURL>
<statusCode>4</statusCode>
<statusString>Invalid Operation</statusString>
<subStatusCode>invalidOperation</subStatusCode>
</ResponseStatus>
:
2024-02-08 08:55:42.796 [DEBUG] [ab.binding.ipcamera.internal.servlet.CameraServlet] - GET:/ipcamera.jpg, received from 192.168.0.129
2024-02-08 08:55:42.833 [DEBUG] [ab.binding.ipcamera.internal.servlet.CameraServlet] - GET:/ipcamera.jpg, received from 192.168.0.129

Best, Jay

Noticed this URL is invalid above in the HTML/XML.

Best, Jay

I made a bug fix for this situation recently in the last month, try updating to the jar found on my private server, or wait till the next milestone release. I posted a link and how to install it in another thread about reolink.

I believe it to be a bug in the firmware that I have put a work around in place for.

It occurs as your camera has no IO alarm features and is choosing to give 403 forbidden and 401 unauthorized as a response to a feature your camera does not have.

I believe there was a github issue that reported this and is now closed with the PR linked.

I tried running your 4.2 version (from your personal web site) on OH 4.1 but it didn’t fix it. It actually created a bunch of errors while OH was starting up. Either way, the 4.2 version didn’t fix it for HikVision NVR.

For now, I just put an exclude logging item for that error in the logger config for now.

LMK, if you want me to test something on OH 4.1 for HikVision NVR?

Best, Jay

I could be wrong but that Confif has not existed in a very long time. Please use the newer jar as it has a fix for same/similar issue. Delete and re-add the thing using the Same UID so all channels and items just link back up.

Create a new log output and I’LL take a look when I am in front of my PC. It’s hard to comment on errors you mention you got but did not post what they were.

The implemented fix was for a different URL, so it appears your camera is complaining about the API’s method of fetching alarms not the alarm input and output features.

There are two ways off the top of my head to get the stream and its possible the second way works for your camera, can you try the first one as we already know the second way is failing.

http://192.168.11.6/Event/notification/alertStream
vs
http://192.168.11.6/ISAPI/Event/notification/alertStream

HTTP error codes:
401 unauthorized
403 forbidden
404 - Not Found
501 - Not Implemented

Since you have given a valid user and password IMHO the correct http code would be a 404 or 501, but this does not matter if Hikvision does not agree its a bug…

Actually I remember that the ipcamera does list a required step to get the API working, see

Please read the required setup steps to enable the ISAPI and ONVIF features as they are disabled by default and require enabling. If you do not have them enabled, and have not created a user and pass for ONVIF then I would prehaps agree that 401 and 403 are correct replies as the user and pass are not valid for those features.

I can now confirm it, that serverPort is no longer anywhere in the binding and has not been for at least a year. Strangely mine also have it, so appears I need to do the same and delete and re-add them with the same UID. This will not have any effect on the issue your asking about, but can indicate the stored THING does not match the THING description that the binding uses, you may have issues that stem from this.

Lastly a work around if this does need changes to the code, would be to use ONVIF thing type as that would then use ONVIF and not the API based event stream, just not sure how that would work with multiple cameras behind the NVR. You can always use the pause button and setup a second new thing to try, but it would be best to work towards fixing this in case other people will hit the same issue.

Hey @matt1,

Here’s the changes and tests I did this morning on your posts.

Yes, removing the THINGS and recreating them got rid of the serverport XML tag but that didn’t fix the issue. I’m still getting the " . . . illegal login lock" in the log file.

I tried both of your URLs, neither worked and I put the user/pass into the URL also as a test, no go. BTW, I do have ISAPI and ONVIF enabled on the NVR by the check marks on each option.

http://192.168.0.11/Event/notification/alertStream - nothing
http://192.168.0.11/ISAPI/Event/notification/alertStream - nothing

This URL works which is only what I use the binding for, snapshot pics across each camera.

http://openhab:PASSWORD@192.168.0.11:81/ISAPI/Streaming/channels/701/picture

All this was tested above using the 4.1 binding.

Let me know when you have a new binding to resolve the issue and I’ll be glad to test it.

Thanks, Jay

You may be waiting a very long time then as I am not aware of a problem that needs fixing. It appears that your NVR does not support the two main end points for the event streams as you tested them and you did not see anything download or stream, your last post states this, that outside of the binding it does not work.

You need to contact Hikvision and ask them why, perhaps your model has a bug or it was never given these features. I do not know. I think your best bet is to look for a newer firmware as it is common for products to ship and sit in warehouses whilst new firmware is released fixing issues.

As mentioned, if the NVR does not support the API due to whatever reason, then I would recommend it’s better to set it up as ONVIF that way you get the alarm streams via the ONVIF methods. If you do not care about the events then you can even set it up manually as GENERIC and provide the urls yourself. The binding works the same way as you step back through the thing types, you only have to provide more config details when you do not have the API or ONVIF helping out providing easier setup.

My first thoughts are you have not turned on the API as asked in the bindings documentation, that would explain it as it comes disabled and you need to turn it on. I mentioned this again to help anyone that may be searching the forum using the log output. If it is missing then you need to check with hikvision sales if it has the API in it.

The previous bug that was fixed was similar, however it was only happening on API calls to a single IO alarm call and the alarm stream was working fine in their case. Yours is similar but not the same, so this may be something they have fixed in a firmware update.

Looks like we both missed the syntax on your 2 URL examples, I’m using port 81 as http not the default 80.

They both return data now.

http://192.168.0.11:81/Event/notification/alertStream = Access Error: 404 – Not Found

http://192.168.0.11:81/ISAPI/Event/notification/alertStream = prompts for user/pass then

<ResponseStatus xmlns="http://www.hikvision.com/ver20/XMLSchema" version="1.0">
<requestURL>/ISAPI/Event/notification/alertStream</requestURL>
<statusCode>4</statusCode>
<statusString>Invalid Operation</statusString>
<subStatusCode>invalidOperation</subStatusCode>
</ResponseStatus>

So I’m guessing the repetitive error in the logs is still valid?

2024-02-08 07:55:01.437 [WARN ] [enhab.binding.ipcamera.internal.MyNettyAuthHandler] - 403 Forbidden: Check camera setup or has the camera activated the illegal login lock?
2024-02-08 07:55:05.475 [WARN ] [enhab.binding.ipcamera.internal.MyNettyAuthHandler] - 403 Forbidden: Check camera setup or has the camera activated the illegal login lock?
2024-02-08 07:55:05.895 [WARN ] [enhab.binding.ipcamera.internal.MyNettyAuthHandler] - 403 Forbidden: Check camera setup or has the camera activated the illegal login lock?
2024-02-08 07:55:09.417 [WARN ] [enhab.binding.ipcamera.internal.MyNettyAuthHandler] - 403 Forbidden: Check camera setup or has the camera activated the illegal login lock?
2024-02-08 07:55:13.272 [WARN ] [enhab.binding.ipcamera.internal.MyNettyAuthHandler] - 403 Forbidden: Check camera setup or has the camera activated the illegal login lock?
2024-02-08 07:55:13.696 [WARN ] [enhab.binding.ipcamera.internal.MyNettyAuthHandler] - 403 Forbidden: Check camera setup or has the camera activated the illegal login lock?

Best, Jay

@matt1

For those folks having this issue, here’s how to ignore the error the binding throughs out above in the logs.

\userdata\etc\log4j2.xml

		<!-- Audit file appender -->
		<RollingRandomAccessFile fileName="${sys:openhab.logdir}/IPCAM.log" filePattern="${sys:openhab.logdir}/Archived/IPCAM.log.%i.log" immediateFlush="true" name="IPCAM">
			<PatternLayout Pattern="%d{yyyy-MM-dd HH:mm:ss.SSS} [%-5.5p] [%-50.50c] - %m%n"/>
			<RegexFilter onMatch="DENY" onMismatch="ACCEPT" regex=".*(illegal login lock).*"/>
			<Policies>
				<OnStartupTriggeringPolicy/>
				<SizeBasedTriggeringPolicy size="3 MB"/>
			</Policies>
			<DefaultRolloverStrategy max="7"/>
		</RollingRandomAccessFile>