On 9/13/06, D.J. Heap <djheap@gmail.com> wrote:
[snip]
>
> 1.4.0 was built with a newer neon (0.26.1), but I don't know if SSPI
> support changed significantly in the new version. It looks like it
> has to be explicitly enabled outside of the normal Subversion build
> process and I doubt Brane did that with the 1.3.x releases, but I've
> asked him about it so hopefully he can comment if he's not too busy.
> I know the TSVN guys have played with SSPI quite a bit and disabled it
> (at least they did for a while) due to Guest account issues or
> something like that.
>
I believe I have narrowed the issue down to a change in neon 0.26 --
by default it no longer supports SSPI/Neogiate authentication over
http, only https. This change appears to be due to the potential
danger of doing SSPI/Negotiate over http -- from the neon comments:
/* NE_AUTH_NEGOTIATE: Negotiate uses GSSAPI/SSPI to authenticate the
* user; an active attacker can modify any of the request/response at
* will, so this must not be used over an unsecured channel. */
So, you can either use https or use binaries built with neon 0.25.5 or
wait for a Subversion release that allows authentication types to be
configurable (for which I've posted a patch that will hopefully be
committed soon).
DJ
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Sat Sep 16 15:28:16 2006