[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: Re: Getting NT Authorization Right with mod_auth_sspi.so

From: Arthur Penn <APenn_at_quilogy.com>
Date: 2004-07-14 13:55:30 CEST

Ahhh... I was expecting TortoiseSVN to offer my NT credentials with
basic authentication off. In other applications, that avoids the
password prompt on access since we are already authenticated on the
domain. OK then. Do I still need an Apache passwd file for the users, or
can I delete that?

Thanks for your reply.

Arthur

-----Original Message-----
From: Toby Johnson [mailto:toby@etjohnson.us]
Sent: Tuesday, July 13, 2004 3:48 PM
To: users@subversion.tigris.org
Subject: Re: Getting NT Authorization Right with mod_auth_sspi.so

Arthur Penn wrote:

>This is where IE tries to log in anonymously before offering the SSPI
>credentials. No problem there.
>
>TortoiseSVN, though, can't browse, update, or checkout anything from
the
>repositories with basic authentication off. I get one of the following
>entries per access attempt:
>
>192.168.157.65 - - [13/Jul/2004:14:02:36 -0400] "PROPFIND
>/svn/ProjectName HTTP/1.1" 401 508
>
>Does anyone know how to make this work? I'd rather not use basic
>authentication. My httpd.conf (significant parts) follow:
>
><Location /svn>
> DAV svn
> SVNParentPath C:\SVNROOT
>
> Require valid-user
> AuthAuthoritative On
>
> AuthType SSPI
> SSPIAuth On
> SSPIDomain mydomain.com
> SSPIOmitDomain On
> SSPIOfferBasic Off
> SSPIAuthoritative On
></Location>
>
>
Why don't you want to use Basic authentication? You may be confused here

about what exactly SSPIOfferBasic means. SSPI by default uses NTLM, a
Microsoft proprietary protocol which only IE (and other Windows
components) understand. SSPIOfferBasic means that it is still
authenticating against your Windows domain on the backend, but when it
asks the client for a password, it does so using standard HTTP Basic
authentication.

TortoiseSVN (or anything else) doesn't understand NTLM, so there's no
way to get it to work without using Basic auth. If you're worried about
the cipher strength of Basic auth, use https instead of regular http.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Wed Jul 14 13:55:25 2004

This is an archived mail posted to the Subversion Users mailing list.