Adrian Wilkins wrote:
> On 04/06/07, Rich <rich.littlejohn@gmail.com> wrote:
>> Hi,
>> Sorry to contact you off-list but I saw your post on the TortoiseSVN
>> list entitled "Transparent SSPI Auth works in 7501, broken in 8645"
>> I'm not
>> a subscriber so I can't reply on list but I ran into exactly the same
>> issue
>> today. After digging around for quite a while I found that the HTTP
>> library
>> that that use in TortoiseSVN (Neon) has disabled SSPI Authentication for
>> non-SSL connections - see here
>> (http://mailman.webdav.org/pipermail/neon/2006-December/002334.html)
>> for details. I've found that enabling SSL on
>> the server has got rid of those annoying logon prompts again.
>>
>
> That's a solution, but I don't fancy the tedium of getting all my
> users to change to https:// links or of setting up SSL on my apache
> install. It's an internal server and I really don't care too much
> about the insecure nature of NTLM over HTTP.
You're missing the point here.
NTLM requires SSL, if you like it or not. If you want automatic
negotiation (no username/pw prompt), then you need SSL - there's no way
around it.
SSPI means "Security Support Provider Interface". Notice the "Security"
in it.
> The trunk (1.5) has a new option for the servers file -
> http-auth-types , which allows you to control which auth types the
> Neon library uses on a per-server basis. That would be great for me
> but I can't really go to 1.5 yet because I'm working on projects that
> use 1.4 clients that have no 1.5 equivalent release yet. I had a look
> at the source and the devs have chosen not to backport this to the 1.4
> branch. The thread discussing this is
> http://svn.haxx.se/dev/archive-2006-10/0224.shtml - Joe Orton alludes
> to this in his post on the Neon list.
Choosing the auth types in 1.5 only means you can disabling some auth
mechanisms if you don't like/need them.
> On the whole, I'm not too bothered - my users are used to using their
> NTLM credentials over Basic. I have a feeling that some patch that IT
> Services have inflicted on us may have broken mod_sspi on the server
> anyway because TSVN build 7501 has stopped working for me. It's just
> that niggling little splinter in your mind when something doesn't
> work... :-)
>
> I don't know whether setting http-auth-types = negotiate will force
> the use of SSPI over plain HTTP though. It would be nice to find that
> out.
It can't. SSPI requires SSL.
Stefan
--
___
oo // \\ "De Chelonian Mobile"
(_,\/ \_/ \ TortoiseSVN
\ \_/_\_/> The coolest Interface to (Sub)Version Control
/_/ \_\ http://tortoisesvn.net
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tortoisesvn.tigris.org
For additional commands, e-mail: dev-help@tortoisesvn.tigris.org
Received on Tue Jun 5 17:33:56 2007