There is a peculiar and confusing aspect to the documented significance of the "realm" argument to www_authorize(), and presumably proxy_authorize() as well. The documentation says that if this value is empty, the digest realm will be generated from the domain part of the To or From URI, whichever is applicable to the given situation (REGISTER vs. any other request). This is the way *_authorize() is invoked in most cases, and works fine. However, we recently ran into a situation where www_authorize() would always fail and claim that it could not find the user in 'subscriber' despite being provided correct username and domain, with the appropriate options -- return value -1. We were sending the public host IP as the domain of the To URI, using it as the realm, and setting it in the domain column of the 'subscriber' table. The problem was, the public IP of the host was not in /etc/hosts -- /etc/hosts consisted solely of: 127.0.0.1 localhost.localdomain localhost For some reason, it wasn't until I added the public IP into it that www_authorize() started working properly: 127.0.0.1 localhost.localdomain xxx.xxx.xxx.xxx public_host.domain.tld public_host I don't see anything different in the anatomy of the 401 Unauthorized challenges; the realm is still xxx.xxx.xxx.xxx in both cases. It just seems that unless Kamailio detects a DNS reverse alias for the domain, it won't properly authenticate requests. This aspect of the behaviour is not documented, and I am also confused as to why it happens this way. Any clarification would be appreciated. -- Alex Balashov - Principal Evariste Systems LLC 1170 Peachtree Street 12th Floor, Suite 1200 Atlanta, GA 30309 Tel: +1-678-954-0670 Fax: +1-404-961-1892 Web: http://www.evaristesys.com/