[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Authorization failed Apache SSPI

From: Stefan Küng <tortoisesvn_at_gmail.com>
Date: 2006-03-15 19:23:18 CET

Cesar Tominaga wrote:
> Im using svn 1.3.0 + Apache 2.0.55 on a WindowsXP.
> This is part of my httpd.conf file:
> <Location /svn>
> DAV svn
> SVNListParentPath on
> SVNParentPath "C:/Repo"
>
> # authentication
> AuthName "Subversion Authentication"
> AuthType SSPI
> SSPIAuth On
> SSPIOmitDomain On
> SSPIAuthoritative On
> SSPIDomain <MyDomain>
> SSPIOfferBasic On
> Require valid-user
>
> # authorization
> AuthzSVNAccessFile "C:/Repo/authorization.conf"
> </Location>
>
> I have created some directories within the repository using tortoisesvn
> and i can navigate thru them by internet explorer. When i try to connect
> to my repository from a wsad 5.1 i get the following error in the wsad log:
> list -r HEAD http://localhost:8080/svn/Repo/App/trunk/
> Authorization failed
> svn: PROPFIND request failed on '/svn/Repo/App/trunk'
> svn: PROPFIND of '/svn/Repo/App/trunk': authorization failed (
> http://localhost:8080 <http://localhost:8080/>)
>
> and the following popup message:
> Error validating location: "org.tigris.subversion.javahl.ClientException:
> Authorization failed
> svn: PROPFIND request failed on '/svn/Repo/App/trunk'
> svn: PROPFIND of '/svn/Repo/App/trunk': authorization failed
> (http://localhost:8080 <http://localhost:8080/>)
>
> Anyone of you have experienced anything similar?
> I dont know why can i connect usign a browser, but cant connect from wsad.
> How do i have to configure the authorization file?, do i have to add the
> domain to the users?

My best guess is that you have the user "guest" activated on your domain
controller. I know sometimes that is required, but if you can, you
should deactivate that user.
The problem with the user guest is that the _authentication_ via SSPI
will succeed as user guest (windows always tries to authenticate with
user guest, even if your logged in as another user, and then falls back
to the logged in user), but then later the _authorization_ will fail,
because user 'guest' doesn't have permission to access your repository.

Not sure who of the Subversion devs knows neon well, but neon 0.26 has
the ability to disable SSPI authentication. I think a good solution to
these kinds of problem would be an option in the SERVERs file to disable
SSPI for certain servers. Because if user 'guest' can't be disabled on
the domain controller, disabling SSPI would make the above Apache
configuration fall back to basic authentication and make Subversion
clients connect to the repository successfully.
(That's also the reason why I disabled SSPI for TSVN 1.3.x).

Stefan

-- 
        ___
   oo  // \\      "De Chelonian Mobile"
  (_,\/ \_/ \     TortoiseSVN
    \ \_/_\_/>    The coolest Interface to (Sub)Version Control
    /_/   \_\     http://tortoisesvn.tigris.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Wed Mar 15 19:25:12 2006

This is an archived mail posted to the Subversion Dev mailing list.