You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Gert Kello <ge...@gmail.com> on 2013/06/19 09:48:35 UTC

Automatic windows authentication using serf/svn 1.8

Hi.

Our team is using subversion server hosted on windows machine by Apache and
https protocol and is using SSPI authentication. With svn 1.7 everything
works fine, including automatic authentication with currently logged in
windows user.

Today I upgraded to svn 1.8 and the automatic authentication does not work
anymore. If I set  http-library = serf then 1.7 client fails to perform
automatic authentication as well.

Is there some configuration setting I am missing or is it limitation of
serf library?

Gert

Re: Automatic windows authentication using serf/svn 1.8

Posted by Gert Kello <ge...@gmail.com>.
> Sorry, I did not mention it specifically:
> I can authenticate when I type in my domain user name/password when
> prompted. And, they are cached so they must be entered only once (per each
> domain password change I assume).
>
> But I would prefer if the authentication ticket is obtained from currently
> logged in windows user, not to type user name/password manually. That part
> is failing...

>> Apparently, if the server uses NTLM only, serf cannot authenticate
>> to it, while neon could. serf supports SPNego though:
>> http://en.wikipedia.org/wiki/SPNEGO
>>
>> Does this apply to your situation? Can you fix the problem by
>> changing the server's configuration?

Well, I have SSPIOfferBasic ON in apache config (for mod_auth_sspi),
so that's why authentication is working. If I set it to "off" then 1.8
client is not able to connect.

Gert

Re: Automatic windows authentication using serf/svn 1.8

Posted by Gert Kello <ge...@gmail.com>.
>> If I enable the ‘SSPIPackage Negotiate’ line (which I just added) then my
>> Subversion 1.8 clients appear to authenticate correctly, but my neon based
>> 1.7 clients fail with an even worse error that can’t be resolved by just
>> typing the password.
>>
>
> Seems like for me the SSPIPackage Negotiate is not working for 1.8
> client. Did not try with 1.7 client.

A status update:
I can successfully authenticate against the server when I use
"correct" name of server. i.e. I there are several name forms of
server I can use:
https:/svnserver/svn
https://svnserver.domain1.com/svn
https://svnserver.domain2.com/svn
https://10.xx.yy.zz/svn

When having SSPIPackage Negotiate, first two of name forms
(https:/svnserver/svn and https://svnserver.domain1.com/svn) do not
work, but last two ones work (https://svnserver.domain2.com/svn and
ip-based access). So there's something wrong with our network setup.
Server machine is joined to domain2.com, my machine and my user are in
domain1.com.

Svn 1.7 client works if serf http library is used, i.e.
svn list https://svnserver.domain2.com/svn --config-option
servers:global:http-library=serf

So I have almost working solution, after network problem is fixed. I
just have to persuade every team member either to upgrade or to change
their servers configuration file.

Gert

Re: Automatic windows authentication using serf/svn 1.8

Posted by Gert Kello <ge...@gmail.com>.
> If I enable the ‘SSPIPackage Negotiate’ line (which I just added) then my
> Subversion 1.8 clients appear to authenticate correctly, but my neon based
> 1.7 clients fail with an even worse error that can’t be resolved by just
> typing the password.
>

Seems like for me the SSPIPackage Negotiate is not working for 1.8
client. Did not try with 1.7 client.

Gert

RE: Automatic windows authentication using serf/svn 1.8

Posted by Bert Huijben <be...@qqmail.nl>.
                Hi,

 

I see the same problem on a setup which I setup years ago.

 

The configuration used for years is:

<Location /svn>

  AuthName "My Subversion Repositories"

  AuthType SSPI

 

  SSPIAuth On

  SSPIAuthoritative On

  SSPIDomain MyDomain

  SSPIOmitDomain On

  SSPIOfferBasic On

  SSPIUsernameCase lower

  #SSPIPackage Negotiate

 

  Require valid-user

  SSLRequireSSL

 

  DAV svn

  SVNListParentPath on

  SVNParentPath D:/Databases/Subversion/repos

  AuthzSVNAccessFile D:/Databases/Subversion/etc/subversion.xs

</Location>

 

If I enable the 'SSPIPackage Negotiate' line (which I just added) then my
Subversion 1.8 clients appear to authenticate correctly, but my neon based
1.7 clients fail with an even worse error that can't be resolved by just
typing the password.

 

                Bert

 

 

From: Gert Kello [mailto:gert.kello@gmail.com] 
Sent: woensdag 19 juni 2013 14:01
To: users@subversion.apache.org
Subject: Re: Automatic windows authentication using serf/svn 1.8

 

Sorry, I did not mention it specifically:

I can authenticate when I type in my domain user name/password when
prompted. And, they are cached so they must be entered only once (per each
domain password change I assume).

But I would prefer if the authentication ticket is obtained from currently
logged in windows user, not to type user name/password manually. That part
is failing...

 

Gert

 

On 19 June 2013 14:02, Stefan Sperling <stsp@elego.de <ma...@elego.de>
> wrote:

On Wed, Jun 19, 2013 at 10:48:35AM +0300, Gert Kello wrote:
> Hi.
>
> Our team is using subversion server hosted on windows machine by Apache
and
> https protocol and is using SSPI authentication. With svn 1.7 everything
> works fine, including automatic authentication with currently logged in
> windows user.
>
> Today I upgraded to svn 1.8 and the automatic authentication does not work
> anymore. If I set  http-library = serf then 1.7 client fails to perform
> automatic authentication as well.
>
> Is there some configuration setting I am missing or is it limitation of
> serf library?
>
> Gert

I don't know anything about Windows authentication, but I could
get some hints from Ivan Zhakov via IRC (he doesn't follow this
mailing list). Perhaps this information helps:

Apparently, if the server uses NTLM only, serf cannot authenticate
to it, while neon could. serf supports SPNego though:
http://en.wikipedia.org/wiki/SPNEGO

Does this apply to your situation? Can you fix the problem by
changing the server's configuration?

The 1.8 release notes currently do not document the issue with NTLM-only
servers. In my opinion they should mention it.

Re: Automatic windows authentication using serf/svn 1.8

Posted by Gert Kello <ge...@gmail.com>.
Sorry, I did not mention it specifically:
I can authenticate when I type in my domain user name/password when
prompted. And, they are cached so they must be entered only once (per each
domain password change I assume).

But I would prefer if the authentication ticket is obtained from currently
logged in windows user, not to type user name/password manually. That part
is failing...

Gert


On 19 June 2013 14:02, Stefan Sperling <st...@elego.de> wrote:

> On Wed, Jun 19, 2013 at 10:48:35AM +0300, Gert Kello wrote:
> > Hi.
> >
> > Our team is using subversion server hosted on windows machine by Apache
> and
> > https protocol and is using SSPI authentication. With svn 1.7 everything
> > works fine, including automatic authentication with currently logged in
> > windows user.
> >
> > Today I upgraded to svn 1.8 and the automatic authentication does not
> work
> > anymore. If I set  http-library = serf then 1.7 client fails to perform
> > automatic authentication as well.
> >
> > Is there some configuration setting I am missing or is it limitation of
> > serf library?
> >
> > Gert
>
> I don't know anything about Windows authentication, but I could
> get some hints from Ivan Zhakov via IRC (he doesn't follow this
> mailing list). Perhaps this information helps:
>
> Apparently, if the server uses NTLM only, serf cannot authenticate
> to it, while neon could. serf supports SPNego though:
> http://en.wikipedia.org/wiki/SPNEGO
>
> Does this apply to your situation? Can you fix the problem by
> changing the server's configuration?
>
> The 1.8 release notes currently do not document the issue with NTLM-only
> servers. In my opinion they should mention it.
>

Re: Automatic windows authentication using serf/svn 1.8

Posted by Stefan Sperling <st...@elego.de>.
On Wed, Jun 19, 2013 at 10:48:35AM +0300, Gert Kello wrote:
> Hi.
> 
> Our team is using subversion server hosted on windows machine by Apache and
> https protocol and is using SSPI authentication. With svn 1.7 everything
> works fine, including automatic authentication with currently logged in
> windows user.
> 
> Today I upgraded to svn 1.8 and the automatic authentication does not work
> anymore. If I set  http-library = serf then 1.7 client fails to perform
> automatic authentication as well.
> 
> Is there some configuration setting I am missing or is it limitation of
> serf library?
> 
> Gert

I don't know anything about Windows authentication, but I could
get some hints from Ivan Zhakov via IRC (he doesn't follow this
mailing list). Perhaps this information helps:

Apparently, if the server uses NTLM only, serf cannot authenticate
to it, while neon could. serf supports SPNego though:
http://en.wikipedia.org/wiki/SPNEGO

Does this apply to your situation? Can you fix the problem by
changing the server's configuration?

The 1.8 release notes currently do not document the issue with NTLM-only
servers. In my opinion they should mention it.