[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Getting NT Authorization Right with mod_auth_sspi.so

From: Mark Bohlman <mbohlman_at_tcicredit.com>
Date: 2004-07-14 15:17:34 CEST

Arthur Penn wrote:
> Ahhh... I was expecting TortoiseSVN to offer my NT credentials with
> basic authentication off. In other applications, that avoids the
> password prompt on access since we are already authenticated on the
> domain. OK then. Do I still need an Apache passwd file for the users, or
> can I delete that?
>
> Thanks for your reply.
>
> Arthur
>
>
> -----Original Message-----
> From: Toby Johnson [mailto:toby@etjohnson.us]
> Sent: Tuesday, July 13, 2004 3:48 PM
> To: users@subversion.tigris.org
> Subject: Re: Getting NT Authorization Right with mod_auth_sspi.so
>
> Arthur Penn wrote:
>
>
>>This is where IE tries to log in anonymously before offering the SSPI
>>credentials. No problem there.
>>
>>TortoiseSVN, though, can't browse, update, or checkout anything from
>
> the
>
>>repositories with basic authentication off. I get one of the following
>>entries per access attempt:
>>
>>192.168.157.65 - - [13/Jul/2004:14:02:36 -0400] "PROPFIND
>>/svn/ProjectName HTTP/1.1" 401 508
>>
>>Does anyone know how to make this work? I'd rather not use basic
>>authentication. My httpd.conf (significant parts) follow:
>>
>><Location /svn>
>> DAV svn
>> SVNParentPath C:\SVNROOT
>>
>> Require valid-user
>> AuthAuthoritative On
>>
>> AuthType SSPI
>> SSPIAuth On
>> SSPIDomain mydomain.com
>> SSPIOmitDomain On
>> SSPIOfferBasic Off
>> SSPIAuthoritative On
>></Location>
>>
>>
>
> Why don't you want to use Basic authentication? You may be confused here
>
> about what exactly SSPIOfferBasic means. SSPI by default uses NTLM, a
> Microsoft proprietary protocol which only IE (and other Windows
> components) understand. SSPIOfferBasic means that it is still
> authenticating against your Windows domain on the backend, but when it
> asks the client for a password, it does so using standard HTTP Basic
> authentication.
>
> TortoiseSVN (or anything else) doesn't understand NTLM, so there's no
> way to get it to work without using Basic auth. If you're worried about
> the cipher strength of Basic auth, use https instead of regular http.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: users-help@subversion.tigris.org

Arthur,

    Not sure about the prior mail PROPFIND problem; are you able to
access the repository via a command like "svn ls file:///svn/sample"?
If so I'd suspect permissions.

    When using SSPI authentication you do not need the password file so
you can remove it.
-- Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Wed Jul 14 15:18:10 2004

This is an archived mail posted to the Subversion Users mailing list.