[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: On backporting r21531 to 1.4.x.

From: Samay <getafix123_at_hotmail.com>
Date: 2006-10-10 08:58:53 CEST

On 10/9/06, Stefan Küng <tortoisesvn@gmail.com> wrote:
[snip]
> > If you have the username and password it is pretty easy (in Windows,
> > anyway) to temporarily impersonate a user for SSPI auth.
>
> But then it's not SSPI authentication but basic authentication, isn't it?
>

No, if LogonUser/Impersonate worked then it would be as if you were
actually that user and should work with at least some SSPI scenarios.
I've done it before with NTLM/Domain auth and it works fine, but Samay
says it doesn't work in stricter Negotiate/Kerberos environments. I
don't really know much about those setups.

DJ

---------------------------------------------------------------------

AFAIK, thats correct. e.g. if mod_auth_kerb is setup with "KrbMethodK5Passwd
off and KrbMethodNegotiate on", and no impersonation is provided for unless
Neon is extended to include its own Kerberos (kinit etc) functions to fetch
KRB5 tkts for the UPN as provided in --username field and given password.

If browse it with Firefox (with negotiate authentication disabled), user
shall be greeted with "401: Authorization Required" page not a userID &
password popup.

regards

Samay

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Tue Oct 10 08:59:10 2006

This is an archived mail posted to the Subversion Dev mailing list.