[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: Re: TSVN & Apache & SSPI & SSL problems

From: Gillis, Paul <pgillis_at_insight-tek.com>
Date: Fri, 17 Oct 2008 13:50:54 -0400

>-----Original Message-----
>From: Stefan Küng [mailto:tortoisesvn_at_gmail.com]
>Sent: Friday, October 17, 2008 1:25 PM
>To: users_at_tortoisesvn.tigris.org
>Subject: Re: TSVN & Apache & SSPI & SSL problems
>
>Gillis, Paul wrote:
>>> -----Original Message----- From: Stefan Küng
>>> [mailto:tortoisesvn_at_gmail.com] Sent: Friday, October 17, 2008 11:32
>>> AM To: users_at_tortoisesvn.tigris.org Subject: Re: TSVN & Apache &
>>> SSPI & SSL problems
>>>
>>> Gillis, Paul wrote:
>>>> Hi Stefan,
>>>>
>>>> Yes, my client is using the very latest versions of Subversion
>>>> 1.5.3 and TSVN 1.5.4. I did not build it. I downloaded the
>>>> binaries from tigris.org. The server is running 1.5.2. But I
>>>> would not expect that to account for my TSVN issue since my svn
>>>> 1.5.3 client can authenticate to the 1.5.2 server.
>>>>
>>>> Yes, I am trying this from the very same machine, my desktop
>>>> computer.
>>>>
>>>> The $ at the end of my SVNParentPath directive is the
>>>> nomenclature to denote a hidden Windows file share. I should
>>>> note that I was able to open my repositories with TSVN perfectly
>>>> fine prior to adding the directives to authenticate using the
>>>> PDC. But we don't want to run anonymously.
>>>>
>>>> I am certain my computer is a member of our domain. It's required
>>>> here.
>>>>
>>>> I was not expecting that I would have to enter my domain/username
>>>> to authenticate with SSPIOmitDomain on. But it failed when I
>>>> entered just my username so I gave it a try with domain and
>>>> username and it worked. This is from my svn console window so it
>>>> leads me to believe my problem is TSVN:
>>>>
>>>>> svn info http://vc-1/svn/myrepo
>>>> Authentication realm: <http://vc-1:80> Subversion repositories
>>>> Password for 'gillis_p': ******** Authentication realm:
>>>> <http://vc-1:80> Subversion repositories Username:
>>>> mydomain\gillis_p Password for ' mydomain\gillis_p': ********
>>>> Path: myrepo URL: http://vc-1/svn/myrepo Repository Root:
>>>> http://vc-1/svn/myrepo Repository UUID:
>>>> be8097fc-3112-874e-b525-a36b8ade6167 Revision: 300 Node Kind:
>>>> directory Last Changed Rev: 300 Last Changed Date: 2008-10-16
>>>> 16:04:16 -0400 (Thu, 16 Oct 2008)
>>>>
>>>>
>>>> Do you have any other suggestions? I'm stumped!
>>> I see the problem now: The command line client doesn't compile SSPI
>>> support, it relies on the fallback to basic authentication for SSPI
>>> authentication. TSVN however supports SSPI authentication (i.e.,
>>> you don't even have to enter username/password - the authentication
>>> is done by the OS and your domain). But SSPI only works for https
>>> connections, not http connections.
>>
>> Would you mind clarifying this so I understand better? Perhaps there
>> are others who share my confusion and would benefit from an
>> explanation.
>
>There's a difference between SSPI and domain authentication. While both
>are done with the mod_auth_sspi module, they're not the same.
>
>Domain authentication simply uses the username/password of your domain
>controller to authenticate users, but the authentication is done with
>'basic auth', which means you're asked for your username and password.
>
>SSPI authentication however uses your logon credentials. Since you're
>already logged on to your domain, SSPI can authenticate you
>automatically so you don't have to enter your username/password. Your
>workstation and the domain controller do this for you.
>But since such automatic authentication would be a security risk if done
>over a non-secure channel, this is only enabled for https connections.
>
>Now, usually if SSPI doesn't work, mod_auth_sspi falls back to basic
>authentication, which means you're asked for username/password (but
>still those from your windows logon). From your description I got that
>this didn't work.
>
>> The ONLY reason I enabled sspi is to be authenticate users with the
>> domain controller so I don't have to maintain a password file. I
>> don't care if the svn communication is encrypted. Section 3.1.7 in
>> the TSVN manual tells me that sspi is the way to do this hence I
>> cannot disable sspi authentication.
>
>You can disable sspi authentication, just enable the 'basic'
>authentication of the mod_auth_sspi module.

I was mistakenly under the impression that I had to enable SSPI to use Windows domain authentication. It's just the way I read it in the manual. So if I understand correctly, mod_auth_sspi with AuthType SSPI would have tried to authenticate me without prompting for username and password again and with AuthType Basic it will instead always prompt me for a username and password. Is that right? What I want to avoid are anonymous commits by anybody. That's why I was tying to force SSPI.

>
>> I now realize that https from the Subversion client also gives me a
>> certificate error: "The certificate is not issued by a trusted
>> authority. Use the fingerprint to validate the certificate manually!"
>> I generated the certificate following the instructions in 3.1.7 of
>> the manual. Are they incorrect or incomplete? What do I have to do
>> to generate a trustworthy certificate that subversion and TSVN will
>> accept?
>
>You would have to buy a certificate from a trusted company, a so called
>"certificate authority":
>http://support.microsoft.com/kb/931125

It looks like I can choose to accept the untrusted certificate permanently and not be bothered by this. Or, if I disable SSPI, I should not see it at all.

>
>> Also... I found this strange... I can use TSVN to open my repository
>> with http (versus https). But if I click on a folder to checkout,
>> the OK button in the checkout dialog is not available. I've never
>> seen this before and I assumed it was because I was not authenticated
>> and my SSPIAuthoritative directive required it. Am I mistaken?
>
>This was reported before, but unfortunately I can't reproduce it.
>There's an easy workaround: just edit the 'checkout path' box (e.g.,
>delete the last char, then add it again). This will trigger the dialog
>verification and the the OK button will get enabled again.

Thank you. That worked!

>
>But if this is the case, then your authentication with the domain
>controller already works (basic authentication, not SSPI since you're
>asked for username/password).
>
>Stefan
>
>--
> ___
> oo // \\ "De Chelonian Mobile"
> (_,\/ \_/ \ TortoiseSVN
> \ \_/_\_/> The coolest Interface to (Sub)Version Control
> /_/ \_\ http://tortoisesvn.net

This e-mail message and all attachments thereto may contain technical data that is subject to export control regulations, or confidential material, and is for the sole use of the intended recipients. Review, dissemination, or other use by anyone else is prohibited. If you are not an intended recipient, please contact the sender and delete all copies.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe_at_tortoisesvn.tigris.org
For additional commands, e-mail: users-help_at_tortoisesvn.tigris.org
Received on 2008-10-17 19:51:05 CEST

This is an archived mail posted to the TortoiseSVN Users mailing list.