Re: neon, SSPI, and mod_auth_kerb

Hello.

Sorry for the cross-post / reply to self, but I figured out how to
get subversion to do single sign on / kerberos auth on windows
against mod_auth_kerb on linux, and maybe this will prevent someone
else from having to spend an entire day on it.

--On Thursday, July 14, 2005 7:56 PM -0500 Christopher Mason
<Mason.Christopher@mayo.edu> wrote:

> [Thu Jul 14 16:37:27 2005] [error] [client 172.23.155.51]
> gss_accept_sec_context() failed: Miscellaneous failure (Request is
> a replay)

It turns out this is a replay cache issue in mod_auth_kerb 5.0rc4
(the version that's in Fedora Core 3) that's fixed in rc6. I'm not
sure what IE does differently from neon that doesn't tickle it, but
anyway...

I'm now able to do SSPI/Kerberos/SPNEGO auth from subversion (trunk)
on WinXP to apache / mod_auth_kerb 5.0rc6 on FC3, no password
prompting. Yeah! Hopefully neon 0.25 will make it into a windows
subversion release pretty soon, because, frankly, building subversion
on windows is not for the faint of heart.

If anyone is interested, I can post details on my setup.

> [Thu Jul 14 16:37:52 2005] [error] [client 172.23.155.51]
> gss_accept_sec_context() failed: Miscellaneous failure (Wrong
> principal in request)

This issue (neon SSPI doesn't expand host names in SPNs) still
exists. The work around is to use the FQDN, but I think the fix is a
pretty short patch. I'll see if I can code this up tomorrow.

-c

-- 
[ Christopher Mason  MPRC Bioinformatics  http://proteomics ]
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org