[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: http-auth-type negotiate broken after upgrade

From: Stefan Küng <tortoisesvn_at_gmail.com>
Date: Fri, 20 Jul 2012 20:50:20 +0200

On 20.07.2012 13:27, Graeme Hodgson wrote:
> From a customer:
> "I'm working on both the upgrade from 1.6 to 1.7 and passing through
> Windows credentials so our developers won't have to manually enter a
> username/password. On TortoiseSVN 1.6.16, I found the registry setting
> to enable negotiate as an http-auth-type even when connecting over
> unencrypted http (specifically, adding a group under
> HKCU\Software\Tigris.org\Subversion\servers and explicitly allowing
> negotiate for it). When I upgraded to Tortoise 1.7.4, however, this
> stopped working.
> Using WireShark, I saw that the initial response from the server would
> be exactly the same (401 Unauthorized), but where 1.6 would immediately
> send back a Authorization: Negotiate header, 1.7 never seems to try that
> method. Eventually, I found that I could work around this by specifying
> serf as the http-library, but I figured (1) we'd like to stay as close
> to stock TortoiseSVN as possible, for ease of maintenance, and (2) you
> probably want to fix the interaction with neon regardless.
> Both TortoiseSVN clients were standard downloads; the only special
> configuration (beyond the aforementioned server grouping) is to specify
> a different diff tool and some global ignores. I saw that both clients
> were using neon 0.29.6; 1.6 is using serf 0.7.2, while 1.7 is using serf
> 1.0.1. Any ideas what's going on there, or what it would take to fix it
> so we could use the default library?"
> Any ideas would be greatly appreciated.
> TIA.

neon does not allow SSPI authentication over unencrypted protocols. It
simply does not use that authentication if used over http, only if https
is used.
The reason is simple: doing that over http is a severe security risk,
and MS has disabled this a long time ago. You can work around the MS
restriction by having Apache connect to the domain controller over an
encrypted channel though, but that's not recommended (I guess that's
what they are doing).

The only way to really fix this is to use https instead of plain http.
Any other way would be a very bad hack, and that's why I won't mention
any of those.


btw: your email signature is almost as long as the content of this mail.
Please turn off the legal disclaimer, because it's completely useless.
And then shorten the rest of your signature: it's enough to have a link
to the homepage. You can link to the other pages from your homepage. We
don't need a link list of all your pages in your emails.

As a rule of thumb: signatures should not exceed four lines.

> Regards,
> Graeme Hodgson
> Technical Support Engineer
> WANdisco plc.
> Office: +44.(0)114.303 9985 X733
> Cell: +44.(0).798.218.1852

Redirect your office line to your cell, then you don't have to mention
it here as well. Also: if you specify both, some people will always use
the cell number, and then when your on your office line, your cell
rings. Very annoying.

> Fax: +1.866.247.7584

Do people really still use fax machines? If they do, send them a
postcard with that number on it: they most likely don't know what email
and the internet is, so you can omit that number from your signature as

> http://www.wandisco.com

that's ok.

> uberSVN: Subversion Made Easy
> http://www.uberSVN.com

that's on your homepage. No need to add this here.

> Everything you need to deploy Subversion in the Enterprise
> http://www.wandisco.com/subversion

Really? A subpage of your homepage you linked from above? Do you really
think that people won't find that page from the front page?
If you say yes, then that means you have to redesign your homepage, not
include that in your signature.

> Subversion community
> http://www.svnforum.org

Again, linked from the homepage.

> Read our blogs
> http://blogs.wandisco.com/

this as well.

> Follow us on Twitter
> http://www.twitter.com/wandisco

and again: put it on your homepage. That's what a homepage is for, not
an email, and especially not one you send to our mailing list.

> MAY BE PRIVILEGED. If this message was misdirected, WANdisco plc
> and its subsidiaries, ("WANdisco") does not waive any confidentiality
> or privilege. If you are not the intended recipient, please notify us

Sorry, no can do.
What's sent to my inbox is per definition (and also by law in our
country) mine and I can do with it as I please.
Adding some legal nonsense won't help.

> immediately and destroy the message without disclosing its contents to

Yep. I'm sure that if any message really would contain something secret
or interesting, anyone who receives it will do that.
If you find your very secret message posted all over the internet, I'm
sure it can't be because someone didn't follow that order.

> anyone. Any distribution, use or copying of this e-mail or the
> information it contains by other than an intended recipient is
> unauthorized. The views and opinions expressed in this e-mail message

But since when do we need authorization?

> are the author's own and may not reflect the views and opinions of
> WANdisco, unless the author is authorized by WANdisco to express such

Doesn't really tell us anything.

> views or opinions on its behalf. All email sent to or from this
> address is subject to electronic storage and review by WANdisco.

Now that however could be a problem: with this you're violating laws in
a lot of countries. Reading other peoples emails (if they weren't sent
to you) is illegal in my country and all countries that surround us.

> Although WANdisco operates anti-virus programs, it does not accept
> responsibility for any damage whatsoever caused by viruses being
> passed.

And that's just nonsense. if a court tells you that you're responsible
then it doesn't matter whether you accept it or not.
You see: the whole legalese mumbo jumbo here is completely irrelevant
and just annoying.
Tell Richard and your IT staff to have this nonsense removed.


   oo  // \\      "De Chelonian Mobile"
  (_,\/ \_/ \     TortoiseSVN
    \ \_/_\_/>    The coolest Interface to (Sub)Version Control
    /_/   \_\     http://tortoisesvn.net
To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_tortoisesvn.tigris.org].
Received on 2012-07-20 20:50:37 CEST

This is an archived mail posted to the TortoiseSVN Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.