[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: TSVN & Apache & SSPI & SSL problems

From: Stefan Küng <tortoisesvn_at_gmail.com>
Date: Fri, 17 Oct 2008 19:25:21 +0200

Gillis, Paul wrote:
>> -----Original Message----- From: Stefan Küng
>> [mailto:tortoisesvn_at_gmail.com] Sent: Friday, October 17, 2008 11:32
>> AM To: users_at_tortoisesvn.tigris.org Subject: Re: TSVN & Apache &
>> SSPI & SSL problems
>>
>> Gillis, Paul wrote:
>>> Hi Stefan,
>>>
>>> Yes, my client is using the very latest versions of Subversion
>>> 1.5.3 and TSVN 1.5.4. I did not build it. I downloaded the
>>> binaries from tigris.org. The server is running 1.5.2. But I
>>> would not expect that to account for my TSVN issue since my svn
>>> 1.5.3 client can authenticate to the 1.5.2 server.
>>>
>>> Yes, I am trying this from the very same machine, my desktop
>>> computer.
>>>
>>> The $ at the end of my SVNParentPath directive is the
>>> nomenclature to denote a hidden Windows file share. I should
>>> note that I was able to open my repositories with TSVN perfectly
>>> fine prior to adding the directives to authenticate using the
>>> PDC. But we don't want to run anonymously.
>>>
>>> I am certain my computer is a member of our domain. It's required
>>> here.
>>>
>>> I was not expecting that I would have to enter my domain/username
>>> to authenticate with SSPIOmitDomain on. But it failed when I
>>> entered just my username so I gave it a try with domain and
>>> username and it worked. This is from my svn console window so it
>>> leads me to believe my problem is TSVN:
>>>
>>>> svn info http://vc-1/svn/myrepo
>>> Authentication realm: <http://vc-1:80> Subversion repositories
>>> Password for 'gillis_p': ******** Authentication realm:
>>> <http://vc-1:80> Subversion repositories Username:
>>> mydomain\gillis_p Password for ' mydomain\gillis_p': ********
>>> Path: myrepo URL: http://vc-1/svn/myrepo Repository Root:
>>> http://vc-1/svn/myrepo Repository UUID:
>>> be8097fc-3112-874e-b525-a36b8ade6167 Revision: 300 Node Kind:
>>> directory Last Changed Rev: 300 Last Changed Date: 2008-10-16
>>> 16:04:16 -0400 (Thu, 16 Oct 2008)
>>>
>>>
>>> Do you have any other suggestions? I'm stumped!
>> I see the problem now: The command line client doesn't compile SSPI
>> support, it relies on the fallback to basic authentication for SSPI
>> authentication. TSVN however supports SSPI authentication (i.e.,
>> you don't even have to enter username/password - the authentication
>> is done by the OS and your domain). But SSPI only works for https
>> connections, not http connections.
>
> Would you mind clarifying this so I understand better? Perhaps there
> are others who share my confusion and would benefit from an
> explanation.

There's a difference between SSPI and domain authentication. While both
are done with the mod_auth_sspi module, they're not the same.

Domain authentication simply uses the username/password of your domain
controller to authenticate users, but the authentication is done with
'basic auth', which means you're asked for your username and password.

SSPI authentication however uses your logon credentials. Since you're
already logged on to your domain, SSPI can authenticate you
automatically so you don't have to enter your username/password. Your
workstation and the domain controller do this for you.
But since such automatic authentication would be a security risk if done
over a non-secure channel, this is only enabled for https connections.

Now, usually if SSPI doesn't work, mod_auth_sspi falls back to basic
authentication, which means you're asked for username/password (but
still those from your windows logon). From your description I got that
this didn't work.

> The ONLY reason I enabled sspi is to be authenticate users with the
> domain controller so I don't have to maintain a password file. I
> don't care if the svn communication is encrypted. Section 3.1.7 in
> the TSVN manual tells me that sspi is the way to do this hence I
> cannot disable sspi authentication.

You can disable sspi authentication, just enable the 'basic'
authentication of the mod_auth_sspi module.

> I now realize that https from the Subversion client also gives me a
> certificate error: "The certificate is not issued by a trusted
> authority. Use the fingerprint to validate the certificate manually!"
> I generated the certificate following the instructions in 3.1.7 of
> the manual. Are they incorrect or incomplete? What do I have to do
> to generate a trustworthy certificate that subversion and TSVN will
> accept?

You would have to buy a certificate from a trusted company, a so called
"certificate authority":
http://support.microsoft.com/kb/931125

> Also... I found this strange... I can use TSVN to open my repository
> with http (versus https). But if I click on a folder to checkout,
> the OK button in the checkout dialog is not available. I've never
> seen this before and I assumed it was because I was not authenticated
> and my SSPIAuthoritative directive required it. Am I mistaken?

This was reported before, but unfortunately I can't reproduce it.
There's an easy workaround: just edit the 'checkout path' box (e.g.,
delete the last char, then add it again). This will trigger the dialog
verification and the the OK button will get enabled again.

But if this is the case, then your authentication with the domain
controller already works (basic authentication, not SSPI since you're
asked for username/password).

Stefan

-- 
       ___
  oo  // \\      "De Chelonian Mobile"
 (_,\/ \_/ \     TortoiseSVN
   \ \_/_\_/>    The coolest Interface to (Sub)Version Control
   /_/   \_\     http://tortoisesvn.net

Received on 2008-10-17 19:25:43 CEST

This is an archived mail posted to the TortoiseSVN Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.