[TSVN] ie + ssl + mod_auth_sspi on apache/win32

This comment is not TSVN-related but TSVN-documentation related ;-)

Your chapter 3 "Setting up A Server" is of great help for every
subversion admin. Some comments to the info box
"SSL and InternetExplorer" in chapter 3:

In chapter 3
http://tortoisesvn.tigris.org/docs/TortoiseSVN_en/ch03.html#tsvn-serversetup-apache-5

> If you're securing your server with SSL and use authentication
> against a windows domain you will encounter that browsing
> the repository with the Internet Explorer doesn't work anymore.

In the ssl "standard" setup there's often the following statement
in apache's virtual ssl host:

SetEnvIf User-Agent ".*MSIE.*" \
             nokeepalive ssl-unclean-shutdown \
             downgrade-1.0 force-response-1.0

There are (were?) good reasons for this configuration, see
 http://www.modssl.org/docs/2.8/ssl_faq.html#ToC49

But if you want ntlm authentication you have to use keepalive:
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/qos_enablekeepalives.asp

If Apache denies keepalive the ntlm authentication will fail.

If I uncomment the whole "SetEnvIf" I can authenticate IE with windows
authentication over SSL against the apache on Win32 with included
mod_auth_sspi. (I tested with IE 6 SP1 and SP2)

I'm unsure if the other options "ssl-unclean-shutdown", "downgrade-1.0"
and "force-response-1.0" should stay.
Long ago there were problems with MSIE 4.0b2 ;-))
http://httpd.apache.org/docs-2.0/misc/known_client_problems.html

And I know:
There might be other reasons why ntlm authentication with IE fails ;-(

Markus

-- 
markus.schuh@sdm.de
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tortoisesvn.tigris.org
For additional commands, e-mail: dev-help@tortoisesvn.tigris.org