You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@subversion.apache.org by Cesar Tominaga <ct...@gmail.com> on 2006/03/15 18:01:54 UTC

Authorization failed Apache SSPI

Hi guys,
Im using svn 1.3.0 + Apache 2.0.55 on a WindowsXP.
This is part of my httpd.conf file:
<Location /svn>
    DAV svn
    SVNListParentPath on
    SVNParentPath "C:/Repo"

    # authentication
    AuthName "Subversion Authentication"
    AuthType SSPI
    SSPIAuth On
    SSPIOmitDomain On
    SSPIAuthoritative On
    SSPIDomain <MyDomain>
    SSPIOfferBasic On
    Require valid-user

    # authorization
    AuthzSVNAccessFile "C:/Repo/authorization.conf"
</Location>

I have created some directories within the repository using tortoisesvn and
i can navigate thru them by internet explorer. When i try to connect to my
repository from a wsad 5.1 i get the following error in the wsad log:
list -r HEAD http://localhost:8080/svn/Repo/App/trunk/
  Authorization failed
svn: PROPFIND request failed on '/svn/Repo/App/trunk'
svn: PROPFIND of '/svn/Repo/App/trunk': authorization failed (
http://localhost:8080)

and the following popup message:
Error validating location: "org.tigris.subversion.javahl.ClientException:
Authorization failed
svn: PROPFIND request failed on '/svn/Repo/App/trunk'
svn: PROPFIND of '/svn/Repo/App/trunk': authorization failed
(http://localhost:8080)

Anyone of you have experienced anything similar?
I dont know why can i connect usign a browser, but cant connect from wsad.
How do i have to configure the authorization file?, do i have to add the
domain to the users?

thanks,
best regards!

Re: Authorization failed Apache SSPI

Posted by Stefan Küng <to...@gmail.com>.

Cesar Tominaga wrote:
> Im using svn 1.3.0 + Apache 2.0.55 on a WindowsXP.
> This is part of my httpd.conf file:
> <Location /svn>
>     DAV svn
>     SVNListParentPath on
>     SVNParentPath "C:/Repo"
>    
>     # authentication
>     AuthName "Subversion Authentication"
>     AuthType SSPI
>     SSPIAuth On
>     SSPIOmitDomain On
>     SSPIAuthoritative On
>     SSPIDomain <MyDomain>
>     SSPIOfferBasic On
>     Require valid-user
>    
>     # authorization
>     AuthzSVNAccessFile "C:/Repo/authorization.conf"
> </Location>
> 
> I have created some directories within the repository using tortoisesvn 
> and i can navigate thru them by internet explorer. When i try to connect 
> to my repository from a wsad 5.1 i get the following error in the wsad log:
> list -r HEAD http://localhost:8080/svn/Repo/App/trunk/
>   Authorization failed
> svn: PROPFIND request failed on '/svn/Repo/App/trunk'
> svn: PROPFIND of '/svn/Repo/App/trunk': authorization failed ( 
> http://localhost:8080 <http://localhost:8080/>)
> 
> and the following popup message:
> Error validating location: "org.tigris.subversion.javahl.ClientException:
> Authorization failed
> svn: PROPFIND request failed on '/svn/Repo/App/trunk'
> svn: PROPFIND of '/svn/Repo/App/trunk': authorization failed
> (http://localhost:8080 <http://localhost:8080/>)
> 
> Anyone of you have experienced anything similar?
> I dont know why can i connect usign a browser, but cant connect from wsad.
> How do i have to configure the authorization file?, do i have to add the 
> domain to the users?

My best guess is that you have the user "guest" activated on your domain 
controller. I know sometimes that is required, but if you can, you 
should deactivate that user.
The problem with the user guest is that the _authentication_ via SSPI 
will succeed as user guest (windows always tries to authenticate with 
user guest, even if your logged in as another user, and then falls back 
to the logged in user), but then later the _authorization_ will fail, 
because user 'guest' doesn't have permission to access your repository.

Not sure who of the Subversion devs knows neon well, but neon 0.26 has 
the ability to disable SSPI authentication. I think a good solution to 
these kinds of problem would be an option in the SERVERs file to disable 
SSPI for certain servers. Because if user 'guest' can't be disabled on 
the domain controller, disabling SSPI would make the above Apache 
configuration fall back to basic authentication and make Subversion 
clients connect to the repository successfully.
(That's also the reason why I disabled SSPI for TSVN 1.3.x).

Stefan

-- 
        ___
   oo  // \\      "De Chelonian Mobile"
  (_,\/ \_/ \     TortoiseSVN
    \ \_/_\_/>    The coolest Interface to (Sub)Version Control
    /_/   \_\     http://tortoisesvn.tigris.org

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org