You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Cesar Tominaga <ct...@gmail.com> on 2006/03/15 18:01:54 UTC
Authorization failed Apache SSPI
Hi guys,
Im using svn 1.3.0 + Apache 2.0.55 on a WindowsXP.
This is part of my httpd.conf file:
<Location /svn>
DAV svn
SVNListParentPath on
SVNParentPath "C:/Repo"
# authentication
AuthName "Subversion Authentication"
AuthType SSPI
SSPIAuth On
SSPIOmitDomain On
SSPIAuthoritative On
SSPIDomain <MyDomain>
SSPIOfferBasic On
Require valid-user
# authorization
AuthzSVNAccessFile "C:/Repo/authorization.conf"
</Location>
I have created some directories within the repository using tortoisesvn and
i can navigate thru them by internet explorer. When i try to connect to my
repository from a wsad 5.1 i get the following error in the wsad log:
list -r HEAD http://localhost:8080/svn/Repo/App/trunk/
Authorization failed
svn: PROPFIND request failed on '/svn/Repo/App/trunk'
svn: PROPFIND of '/svn/Repo/App/trunk': authorization failed (
http://localhost:8080)
and the following popup message:
Error validating location: "org.tigris.subversion.javahl.ClientException:
Authorization failed
svn: PROPFIND request failed on '/svn/Repo/App/trunk'
svn: PROPFIND of '/svn/Repo/App/trunk': authorization failed
(http://localhost:8080)
Anyone of you have experienced anything similar?
I dont know why can i connect usign a browser, but cant connect from wsad.
How do i have to configure the authorization file?, do i have to add the
domain to the users?
thanks,
best regards!
Re: Authorization failed Apache SSPI
Posted by Stefan Küng <to...@gmail.com>.
Cesar Tominaga wrote:
> Im using svn 1.3.0 + Apache 2.0.55 on a WindowsXP.
> This is part of my httpd.conf file:
> <Location /svn>
> DAV svn
> SVNListParentPath on
> SVNParentPath "C:/Repo"
>
> # authentication
> AuthName "Subversion Authentication"
> AuthType SSPI
> SSPIAuth On
> SSPIOmitDomain On
> SSPIAuthoritative On
> SSPIDomain <MyDomain>
> SSPIOfferBasic On
> Require valid-user
>
> # authorization
> AuthzSVNAccessFile "C:/Repo/authorization.conf"
> </Location>
>
> I have created some directories within the repository using tortoisesvn
> and i can navigate thru them by internet explorer. When i try to connect
> to my repository from a wsad 5.1 i get the following error in the wsad log:
> list -r HEAD http://localhost:8080/svn/Repo/App/trunk/
> Authorization failed
> svn: PROPFIND request failed on '/svn/Repo/App/trunk'
> svn: PROPFIND of '/svn/Repo/App/trunk': authorization failed (
> http://localhost:8080 <http://localhost:8080/>)
>
> and the following popup message:
> Error validating location: "org.tigris.subversion.javahl.ClientException:
> Authorization failed
> svn: PROPFIND request failed on '/svn/Repo/App/trunk'
> svn: PROPFIND of '/svn/Repo/App/trunk': authorization failed
> (http://localhost:8080 <http://localhost:8080/>)
>
> Anyone of you have experienced anything similar?
> I dont know why can i connect usign a browser, but cant connect from wsad.
> How do i have to configure the authorization file?, do i have to add the
> domain to the users?
My best guess is that you have the user "guest" activated on your domain
controller. I know sometimes that is required, but if you can, you
should deactivate that user.
The problem with the user guest is that the _authentication_ via SSPI
will succeed as user guest (windows always tries to authenticate with
user guest, even if your logged in as another user, and then falls back
to the logged in user), but then later the _authorization_ will fail,
because user 'guest' doesn't have permission to access your repository.
Not sure who of the Subversion devs knows neon well, but neon 0.26 has
the ability to disable SSPI authentication. I think a good solution to
these kinds of problem would be an option in the SERVERs file to disable
SSPI for certain servers. Because if user 'guest' can't be disabled on
the domain controller, disabling SSPI would make the above Apache
configuration fall back to basic authentication and make Subversion
clients connect to the repository successfully.
(That's also the reason why I disabled SSPI for TSVN 1.3.x).
Stefan
--
___
oo // \\ "De Chelonian Mobile"
(_,\/ \_/ \ TortoiseSVN
\ \_/_\_/> The coolest Interface to (Sub)Version Control
/_/ \_\ http://tortoisesvn.tigris.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org