iDRAC HTTP basic authentication changes

Accessing a Redfish resource from a generic client and authentication is not provided on the original request (example, web browsers) the following error is returned and there are no automatic prompts for credentials. 

  {
    "error": {
        "code": "Base.1.8.GeneralError",
        "message": "A general error has occurred. See ExtendedInfo for more information.",
        "@Message.ExtendedInfo": [
        {
            "@odata.type": "#Message.v1_1_0.Message",
            "MessageId": "Base.1.8.AccessDenied",
            "Message": "The authentication credentials included with this request are missing or invalid.",
            "MessageArgs": [],
            "MessageArgs@odata.count": 0,
            "RelatedProperties":[],
            "RelatedProperties@odata.count": 0,
            "Severity": "Critical",
            "Resolution": "Attempt to ensure that the URI is correct and that the service has the appropriate credentials."
        }
        ]
    }
}

New Behavior 

HTTPBasicAuth default value set to Unadvertised. If the initial HTTP request is sent without an authentication header the service does not advertise basic auth in the WWW-Authenticate response header. This prevents automatic prompts or access by generic clients (example, browsers).

< HTTP/1.1 401 Unauthorized
< Date: Mon, 09 Mar 2026 17:21:26 GMT
< Server: Apache

Legacy Behavior 

The HTTPBasicAuth default value set to Enabled. If the initial HTTP request is sent without an authentication header the service advertises basic auth in the WWW-Authenticate response header. This allows automatic prompts or access by generic clients (example, browsers).

< HTTP/1.1 401 Unauthorized
< Date: Mon, 09 Mar 2026 17:21:57 GMT
< Server: Apache
< WWW-Authenticate: Basic realm="RedfishService"

Starting in iDRAC9 7.30.10.50 and iDRAC10 1.30.10.50 HTTP basic auth default setting has changed to unadvertised (previous default setting Enabled). These changes were made to improve credential security and reduce unintended exposure of HTTP basic authentication in Redfish services.

A new configurable control for HTTP basic authentication handling has been introduced in the Redfish AccountService, DMTF property name HTTPBasicAuth. This new property supports three possible values:

Unadvertised (new default setting):

-    The service does not advertise basic in the WWW-Authenticate response header, this prevents automatic prompts or access by generic clients (example, browsers).

Enabled: 

-    HTTP basic authentication is enabled and explicitly advertised using the WWW-Authenticate: basic header on 401 unauthorized responses.

Disabled:

-    HTTP basic authentication is completely disabled for the Redfish service, other methods such as X-auth token session (recommended) is required to perform Redfish operations. 

The HTTP basic auth settings can be configured from Redfish, Web UI, and RACADM iDRAC interfaces. 

Redfish: 

-	PATCH DMTF property HTTPBasicAuth under AccountService
-	PATCH OEM attribute Redfish.BasicAuthState under DellAttributes

RACADM:

-	Set OEM attribute iDRAC.Redfish.BasicAuthState

GUI:

-	iDRAC Settings -> Services -> Redfish -> HTTP Basic Authentication 

When BasicAuthState is set to Unadvertised, clients must be explicit in sending authentication headers on the initial request. For example, the ansible.builtin.uri module must specify the force_basic_auth: true in order to send a Basic authentication header on the first request.