May 21, 2012

How to enable Horde ActiveSync with Apache httpd, mod_fastcgi, and PHP 5.4

In order to have a groupware environment without being spied by intrusive cloud companies, I set up a self-hosted Horde Groupware. What I love about Horde, besides being open-source software and not requiring root access, is the support of ActiveSync. I have got two Android devices. Therefore, I have the need to synchronize contacts, calendars, tasks and mails. The actual Horde 4 is capable to synchronize everything but the emails. The upcoming Horde 5 will also synchronize emails. Meanwhile, I download the emails using IMAP.

The Problem

The configuration of ActiveSync for Horde is painless. What is problematic is the way that we adopt to serve PHP pages. ActiveSync works out of the box when using mod_fcgid. The problem with mod_fcgid is that, no matter how much we tune its configuration, we often encounter random HTTP 500 errors.

I serve Horde using mod_fastcgi and PHP-FPM. While the use of mod_fastcgi does not throw random HTTP 500 errors, ActiveSync may stop working. The problem is related to how the clients authenticate with the ActiveSync server. The Authorization headers are not correctly passed.

For example, TouchDown for Android may report the following:

ActiveSync: check your credentials
ActiveSync version check returned netagive, but still trying for 12.1

PHP-FPM seems not related to this problem. The problem persists when using mod_fastcgi and PHP in classic FastCGI mode.

Many workarounds exist and are posted around in the Net. The Horde Wiki page about ActiveSync adds many useful information. Unfortunately, they seem not to be enough for my case. Even after adding the mod_rewrite rules in .htaccess, the clients will complain about authentication problems. The FastCGI server already had the -pass-header Authorization flag enabled. Nothing worked.

In this post, I write about a dirty hack in order to make ActiveSync for Horde working again. If you don’t care about the story behind this fix, you can directly jump to the Complete Instructions


The research

I decided to debug the non-trivial Horde framework. After some learning about the architecture of the system, I discovered the file Horde/Rpc/ActiveSync.php. This is the class which is instantiated by Horde_Rpc::factory in rpc.php of the actual Horde Groupware installation.
At about line 180 of rpc.php we can find the public function authorize() method, responsible for the ActiveSync authentication. Quite at the beginning of the method, there is this snippet:

My suspects immediately went to PHP_AUTH_USER and PHP_AUTH_PW. Therefore, I Used Horde::debug() to print the $serverVars variable. This was the output, with some confidential values omitted:

As I suspected, PHP_AUTH_USER abd PHP_AUTH_PW were missing. Same old story, PHP as CGI has a lot of Authentication-related problems.

The problem for me was that ["Authorization"]=>string(38) "Basic <omitted>" was present, as Horde Wiki page promises, but ActiveSync was still not working.

The most common approach in these cases is to implement a ugly hack: to manually populate the variables $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'].
I found this very useful comment in the PHP documentation page for HTTP auth. The first part of the comment – the one related to .htaccess – was already implemented by following the Horde Wiki page. I implemented the second part – the PHP code – in Horde Groupware rpc.php file.

The Solution

At about line 87 of Horde Groupware rpc.php, find the snippet

And change it to:

That’s it. ActiveSync will begin to work.

Complete Instructions

The following are all the required steps in order to have Horde ActiveSync working with mod_fatcgi:

  1. Serve FastCGI with the -enable-header Authorization flag. The following is a non-exhaustive example of configuration: FastCgiExternalServer /php5.external -socket /your/path/to/php5-fpm.socket -pass-header Authorization -appConnTimeout 30 -idle-timeout 60
  2. Follow the Horde Wiki page about ActiveSync and create the following .htaccess for your Horde Groupware:
  3. Implement the dirty hack that I describe in the section The Solution.


In this post I described a method to make Horde ActiveSync capabilities working when served using mod_fastcgi. The issues I describe in this post are marked as old and fixed by the authors of Horde. For this reason, I report here my server configuration in the hope that this still happens only because of my particular infrastructure.
An HTTP request is received by a Nnginx server and forwarded to my Apache httpd 2.22.2 server. The mod_fastcgi module is the latest developed version and PHP is at version 5.4.3.

I hope that the instructions posted here may help who still encounters this problem.

written by dgraziotin

Dr. Daniel Graziotin received his PhD in computer science, software engineering at the Free University of Bozen-Bolzano, Italy. His research interests include human aspects in empirical software engineering with psychological measurements, Web engineering, and open science. He researches, publishes, and reviews for venues in software engineering, human-computer interaction, and psychology. Daniel is the founder of the psychoempirical software engineering discipline and guidelines. He is associate editor at the Journal of Open Research Software, academic editor at the Research Ideas and Outcomes (RIO) journal, and academic editor at the Open Communications in Computer Science journal. He is the local coordinator of the Italian Open science local group for the Open Knowledge Foundation. He is a member of ACM, SIGSOFT, and IEEE.

  • Jan Schneider May 21, 2012 Reply

    For the record: the Authorization header is already supported in the current Git code, i.e. in the next release of the Horde_Rpc package.

    • dgraziotin May 21, 2012 Reply

      I am happy to know that, Jan! Thank you for the report.

  • David Nov 28, 2012 Reply

    Thanks for sharing your experience. I managed to install the most recent horde, sync with Ical, but not with syncml or activesync and android so far.
    Now in which file do I need to change the -enable-header Authorization flag? Or I don’t have to do that at all as Jan Schneider mentionned?
    Thanks for clearing up.

    • dgraziotin Nov 29, 2012 Reply

      Are you already using Horde 5? There are also some Android devices that don’t work with Horde, unfortunately. By the way you can try my configuration and see if it helps.
      The mod_fastcgi config location depends on how you setup Apache.
      I am sharing here one of the configuration I am using, as a raw example. This snippet uses php-fpm but the configuration is almost the same. You would have this snippet inside /etc/apache2/sites-enabled/your-horde-website on Debian-based systems.

      There is a nice tutorial on mod_fastcgi here. Hope it helps!

  • seeyou-mobile Oct 5, 2015 Reply

    Everything is very open with a clear explanation of the challenges.
    It was definitely informative. Your site is useful.

    Thank you for sharing!

Leave a comment