[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Using MIT kerberos authentication with Tortoise SVN from a windows client

From: Chris Rodgers <rodgers_at_physchem.ox.ac.uk>
Date: 2006-08-24 19:04:28 CEST


Should it be possible to use a kerberos-enabled SVN repository with
TortoiseSVN (or any other SVN client for windows)?

If so, does anyone have any tips for getting it to work?

Here is what I have set up so far:

I have installed a Fedora Core 5 machine with Apache 2 running
mod_dav_svn and mod_auth_kerb. This machine is also running the latest
MIT kerberos KDC. Apache is set to use negotiate authentication using
Kerberos for access to the subversion repository.

 From my linux machines, I can now access the svn repository using kerberos.

$ kinit rodgers@MY.REALM

$ svn co https://my.server/svn/stuff

$ svn etc...

all work with only an initial password prompt when running kinit.

Now, I would like to be able to connect to this repository from Windows.

I have installed the MIT Kerberos 3.1 for windows beta and can
successfully kinit with my kerberos password to get a ticket.

However, TortoiseSVN doesn't seem to be aware that it can use this
ticket for authentication - just giving an access denied error. The
webserver logs show that no kerberos ticket was presented to Apache by
TortoiseSVN but that it instead presents an NTLM packet...

When I try to checkout a directory using TortoiseSVN, here is what
appears in the log:

[Thu Aug 24 17:39:41 2006] [debug] src/mod_auth_kerb.c(1342): [client] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos
[Thu Aug 24 17:39:41 2006] [debug] src/mod_auth_kerb.c(1044): [client] Acquiring creds for
[Thu Aug 24 17:39:41 2006] [debug] src/mod_auth_kerb.c(1175): [client] Verifying client data using KRB5 GSS-API
[Thu Aug 24 17:39:41 2006] [debug] src/mod_auth_kerb.c(1191): [client] Verification returned code 589824
[Thu Aug 24 17:39:41 2006] [debug] src/mod_auth_kerb.c(1217): [client] Warning: received token seems to be NTLM, which isn't
supported by the Kerberos module. Check your IE configuration.

Many thanks in advance,

Chris Rodgers.

To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Thu Aug 24 19:13:21 2006

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.