[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: Can anyone help? Server was not authenticated correctly

From: Joe H-Grosse <jhg_at_isnordic.dk>
Date: 2007-08-09 12:18:11 CEST

Hi Michael,

Firstly, I'm not an expert on Digest Access Authentication - we use
Certificates+SSL.

However, here are some thoughts:

For some reason, on presentation of your credentials the server is
generating a digest response using a password that is not yours (the other
ingredients going into this digest are very unlikely to change).

Given that an md5 generator does not "just" decide to occasionally generate
incorrect digests, you are left with the following possibilities (that I can
see) in order of likelihood:

1. The password file is broken
2. The svn access file is broken
3. You are using some kind of load-balanced/failover apache front-end
solution and there are multiple password files - which don't match
4. There is some kind of proxy server that's mangling the character set

Here are some observations and questions to consider:

1. The problem is intermittent
        - what's your estimate regarding the frequency of success:failure
ratio?
        - is there a pattern relating to where in the repository tree you
are operating?
        - if you do nothing else but checkout->update->checkin/commit the
same file repeatedly will you see the issue appear?

2. The cnonce (your hashed password) is the same in all the examples you
give but so is the nonce_count - and that (hopefully) means you have cutting
and pasting the same example in your emails (?).
        - can you look in your logs and check that the cnonce digest string
is the same for both successful and failed access authentication
negotiations?
        - can you check rspauth as well - it should be the same for all
successful negotiations - and if you are lucky, the same for all
unsuccessful negotiations.

Here are some suggestions:

1. Turn off all anonymous access and see if the problem goes away; if not,
revert.
2. Turn off all anonymous access, strip down the svn access file to the bare
bones and see if the problem goes away; if not revert.
3. Turn off all anonymous access, strip down the svn access file to the bare
bones, remove all users but yourself from the svn access and password files,
give yourself rw access to the entire repository and see if the problem goes
away; if not revert.

Hope this helps

Regards,

Joe

-----Original Message-----
From: Michael Zhou [mailto:zhouyuehong@21cn.com]
Sent: 9. august 2007 03:43
To: Joe H-Grosse; users@subversion.tigris.org
Subject: Re: Can anyone help? Server was not authenticated correctly

Hi, Joe,

Thanks for your reply.

According to your suggestion, I re-ordered the svn directives in
httpd.conf (list below), and the problem is still there.

    <Location /repos>
        DAV svn
        SVNParentPath /home/svnadmin/repos
        SVNIndexXSLT http://svn.myhost.com/style.xsl

        AuthzSVNAccessFile /home/svnadmin/repos_access/access

        Satisfy Any
        Require valid-user

        AuthType Digest
        AuthName "subversion repository"
        AuthDigestProvider file
        AuthUserFile /home/svnadmin/repos_access/passwd
    </Location>

The apache error_log didn't show any problem, and the access_log shows
all requests are succeeded (GET request returned 200, and PROPFIND
request returned 207)

So I guess the server works fine. It seems some MD5 digest doesn't
match. I wonder what it is.

Here list the neon debug log:

ah_post_send (#0), code is 207 (want 401), WWW-Authenticate is (none)
Auth-Info header:
rspauth="b96e9e2643a40426e466d58b49fc4378",cnonce="8bcb2a16679f26796ea8ac8b8
357cd6b", nc=000001df, qop=auth
Pair: [rspauth] = [b96e9e2643a40426e466d58b49fc4378]
Pair: [cnonce] = [8bcb2a16679f26796ea8ac8b8357cd6b]
Pair: [nc] = [000001df]
Got nonce_count: 479
Pair: [qop] = [auth]
Calculating response-digest.
Digesting qop-value [auth:].
Calculated response-digest of: [ae162836b87c6f62297c0df454b3792a]
Given response-digest of: [b96e9e2643a40426e466d58b49fc4378]
Matched: nope
Response authentication invalid.
svn: PROPFIND request failed on
'/repos/.../!svn/bc/11875/.../branches/20070731_....java'
svn: PROPFIND of '/repos/.../!svn/bc/11875/.../branches/20070731_....java':
Server was not authenticated correctly. (http://svn.myhost.com)

>
> Hi,
>
> What do your apaches logs tell you?
>
> I also note you have "Satisfy Any" enabled at the end of the Location
block
> as well as "Require valid-user" prior to it.
> If you are not allowing anonymous access - then you should be able to
> comment "Satisfy Any" out?
> If you are - then in the manual (page 116 - Example 6.3) Satisfy Any" is
> defined prior to "Require valid-user".
>
> The accompanying text to the example could indicate that there is an
> overloading order that is assumed by subversion when using these
directives
> together.
> You might try re-ordering the definitions and seeing if that clears things
> up.
>
> If not then the issue may be in the definitions in the AuthzSVNAccessFile
> and their ordering.
>
> Regards,
>
> Joe
> -----Original Message-----
> From: Michael Zhou [mailto:zhouyuehong@21cn.com]
> Sent: 8. august 2007 09:56
> To: users@subversion.tigris.org
> Subject: Re: Can anyone help? Server was not authenticated correctly
>
> I don't change any svn client configurations at all.
>
> Below is my server's configuration. Most times it works fine:
>
> <Location /repos>
> AuthType Digest
> AuthName "subversion repository"
> AuthDigestProvider file
> AuthUserFile /home/svnadmin/repos_access/passwd
>
> Require valid-user
>
> DAV svn
> SVNParentPath /home/svnadmin/repos
> SVNIndexXSLT http://svn.myhost.com/style.xsl
> AuthzSVNAccessFile /home/svnadmin/repos_access/access
>
> Satisfy Any
> </Location>
>
> > Please paste your config here,
> > or post a message to <http://www.iusesvn.com/bbs>www.iusesvn.com/bbs.
> >
> > On 8/8/07, Michael Zhou <<mailto:zhouyuehong@21cn.com>
> zhouyuehong@21cn.com> wrote:
> > > I posted this message 2 days ago, but no one replies me.
> > >
> > > In Subversion for windows, the error message is different than it is
in
> > > Linux: Digest mutual authentication failure: request-digest mismatch
> > >
> > > ----------------------- Original Message -----------------------
> > > From: Michael Zhou <zhouyuehong@21cn.com>
> > > To: users@subversion.tigris.org
> > > Date: Mon, 06 Aug 2007 14:22:34 +0800
> > > Subject: Server was not authenticated correctly
> > > ----
> > >
> > > Dear all,
> > >
> > > I have a problem: my svn client randomly reports "Server was not
> > > authenticated correctly" error. Most times it works fine, and
> > > occasionally it exits with an error.
> > >
> > > Below is my environment information:
> > >
> > > Server-side:
> > >
> > > * RH Linux AS,
> > > * SVN 1.4.4 with Apache 2.2.4,
> > > * http protocol, authenticated with MD5 digest,
> > > * repository type is fsfs.
> > >
> > > Client-side:
> > >
> > > * RH Linux | Windows
> > > * SVN 1.4.4,
> > > * neon 0.25.5
> > >
> > > I just opened the debug option of neon as metioned in the archived
> > > mailing list.
> > >
> > > vi ~/.subversion/servers
> > >
> > > [global]
> > > neon-debug-mask = 9
> > >
> > > Here is what neon prints on stderr:
> > >
> > > $ svn merge -r 11875:HEAD
> http://svn.myhost.com/repos/.../branches/20070731_.../ .
> > >
> > > ...
> > > ...
> > >
> > > ah_post_send (#0), code is 207 (want 401), WWW-Authenticate is (none)
> > > Auth-Info header: rspauth="c9c7d7643a6db0006e66c358b4e313a7",
> cnonce="8bcb2a16679f26796ea8ac8b8357cd6b", nc=000001de, qop=auth
> > > Pair: [rspauth] = [c9c7d7643a6db0006e66c358b4e313a7]
> > > Pair: [cnonce] = [8bcb2a16679f26796ea8ac8b8357cd6b]
> > > Pair: [nc] = [000001de]
> > > Got nonce_count: 478
> > > Pair: [qop] = [auth]
> > > Calculating response-digest.
> > > Digesting qop-value [auth:].
> > > Calculated response-digest of: [c9c7d7643a6db0006e66c358b4e313a7]
> > > Given response-digest of: [c9c7d7643a6db0006e66c358b4e313a7]
> > > Matched: YES!
> > > ah_create, for WWW-Authenticate
> > > Handling auth session.
> > > Nonce count is 479, nc is [000001df]
> > > H(A2): 61de4dcc5a3ecaeaad7cc852c10ea12e
> > > Calculating Request-Digest.
> > > Have qop directive, digesting:
> [000001df:8bcb2a16679f26796ea8ac8b8357cd6b:auth]
> > > Digest request header is Digest username="fanziwen",
realm="subversion
> repository", nonce="BW3AzwA3BAA=a3a4e2fc6bcddc1a8d4771a052e6806a9a762de8",
> uri="/repos/.../!svn/bc/11875/.../branches/20070731_....java",
> > > response="407b46bacdf2a7745bd67915dc606f1f", algorithm="MD5",
> > > cnonce="8bcb2a16679f26796ea8ac8b8357cd6b", nc=000001df, qop="auth"
> > >
> > > ah_post_send (#0), code is 207 (want 401), WWW-Authenticate is (none)
> > > Auth-Info header: rspauth="b96e9e2643a40426e466d58b49fc4378",
> cnonce="8bcb2a16679f26796ea8ac8b8357cd6b", nc=000001df, qop=auth
> > > Pair: [rspauth] = [b96e9e2643a40426e466d58b49fc4378]
> > > Pair: [cnonce] = [8bcb2a16679f26796ea8ac8b8357cd6b]
> > > Pair: [nc] = [000001df]
> > > Got nonce_count: 479
> > > Pair: [qop] = [auth]
> > > Calculating response-digest.
> > > Digesting qop-value [auth:].
> > > Calculated response-digest of: [ae162836b87c6f62297c0df454b3792a]
> > > Given response-digest of: [b96e9e2643a40426e466d58b49fc4378]
> > > Matched: nope
> > > Response authentication invalid.
> > > svn: PROPFIND request failed on
> '/repos/.../!svn/bc/11875/.../branches/20070731_....java'
> > > svn: PROPFIND of
> '/repos/.../!svn/bc/11875/.../branches/20070731_....java':
> > > Server was not authenticated correctly. (http://svn.myhost.com)
> > > Closing connection.
> > > Connection closed.
> > > Closing connection.
> > > Connection closed.
> > > Closing connection.
> > > Connection closed.
> > >
> > > Thanks in advance.
> > >
> > > --
> > > Michael Zhou <zhouyuehong@21cn.com>
> > >
> > > --------------------- Original Message Ends --------------------
> > >
> > > --
> > > Michael Zhou < zhouyuehong@21cn.com>
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail:
<mailto:users-unsubscribe@subversion.tigris.org>
> users-unsubscribe@subversion.tigris.org
> > > For additional commands, e-mail: users-help@subversion.tigris.org
> > >
> >
> >
> >
> >
> > --
> > http://www.iUseSVN.com (Chinese SVN Forum)
>
> --
> Michael Zhou <zhouyuehong@21cn.com>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: users-help@subversion.tigris.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: users-help@subversion.tigris.org
>

-- 
Michael Zhou <zhouyuehong@21cn.com>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Thu Aug 9 12:17:02 2007

This is an archived mail posted to the Subversion Users mailing list.