[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: TSVN & Apache & SSPI & SSL problems

From: Stefan Küng <tortoisesvn_at_gmail.com>
Date: Fri, 17 Oct 2008 20:07:15 +0200

Gillis, Paul wrote:

> I was mistakenly under the impression that I had to enable SSPI to
> use Windows domain authentication. It's just the way I read it in
> the manual. So if I understand correctly, mod_auth_sspi with AuthType
> SSPI would have tried to authenticate me without prompting for
> username and password again and with AuthType Basic it will instead
> always prompt me for a username and password. Is that right? What I
> want to avoid are anonymous commits by anybody. That's why I was
> tying to force SSPI.

You could also leave it as it is now. TSVN will first try SSPI, and if
that doesn't work it falls back to basic authentication with your
domain. From your last mail it seems that this works already.

>>> I now realize that https from the Subversion client also gives me
>>> a certificate error: "The certificate is not issued by a trusted
>>> authority. Use the fingerprint to validate the certificate
>>> manually!" I generated the certificate following the instructions
>>> in 3.1.7 of the manual. Are they incorrect or incomplete? What
>>> do I have to do to generate a trustworthy certificate that
>>> subversion and TSVN will accept?
>> You would have to buy a certificate from a trusted company, a so
>> called "certificate authority":
>> http://support.microsoft.com/kb/931125
>
> It looks like I can choose to accept the untrusted certificate
> permanently and not be bothered by this. Or, if I disable SSPI, I
> should not see it at all.

That has nothing to do with SSPI. Well, at least not much :)
You would also get this dialog for 'normal' https connections where you
don't even have authentication set up. But since you're using http, it's
really SSPI which triggers this (at least I assume, I don't know how
your domain controller is set up).
And yes, you can permanently accept this certificate and then you won't
get bothered again.
Or, you could install your manually created certificate on all client
machines.

Stefan

-- 
       ___
  oo  // \\      "De Chelonian Mobile"
 (_,\/ \_/ \     TortoiseSVN
   \ \_/_\_/>    The coolest Interface to (Sub)Version Control
   /_/   \_\     http://tortoisesvn.net

Received on 2008-10-17 20:07:28 CEST

This is an archived mail posted to the TortoiseSVN Users mailing list.