[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Getting NT Authorization Right with mod_auth_sspi.so

From: Toby Johnson <toby_at_etjohnson.us>
Date: 2004-07-13 21:47:36 CEST

Arthur Penn wrote:

>This is where IE tries to log in anonymously before offering the SSPI
>credentials. No problem there.
>
>TortoiseSVN, though, can't browse, update, or checkout anything from the
>repositories with basic authentication off. I get one of the following
>entries per access attempt:
>
>192.168.157.65 - - [13/Jul/2004:14:02:36 -0400] "PROPFIND
>/svn/ProjectName HTTP/1.1" 401 508
>
>Does anyone know how to make this work? I'd rather not use basic
>authentication. My httpd.conf (significant parts) follow:
>
><Location /svn>
> DAV svn
> SVNParentPath C:\SVNROOT
>
> Require valid-user
> AuthAuthoritative On
>
> AuthType SSPI
> SSPIAuth On
> SSPIDomain mydomain.com
> SSPIOmitDomain On
> SSPIOfferBasic Off
> SSPIAuthoritative On
></Location>
>
>
Why don't you want to use Basic authentication? You may be confused here
about what exactly SSPIOfferBasic means. SSPI by default uses NTLM, a
Microsoft proprietary protocol which only IE (and other Windows
components) understand. SSPIOfferBasic means that it is still
authenticating against your Windows domain on the backend, but when it
asks the client for a password, it does so using standard HTTP Basic
authentication.

TortoiseSVN (or anything else) doesn't understand NTLM, so there's no
way to get it to work without using Basic auth. If you're worried about
the cipher strength of Basic auth, use https instead of regular http.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Tue Jul 13 21:47:58 2004

This is an archived mail posted to the Subversion Users mailing list.