[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: How to configure SSL on SSPI?

From: Andrey Repin <anrdaemon_at_freemail.ru>
Date: Tue, 1 Sep 2009 03:07:06 +0400

Greetings, Michael Tang!

> I have setup SSL secured connections (https) for my Subversion and https
> works well. Now, I am trying to set authentication with a Windows Domain
> with SSPI. But after I set up SSPI, the authorization (Windows Domain userid
> and password) only valid for http. For https, No authorization need and
> anyone can access repository.

> According to document ( http://tortoisesvn.net/docs/release/TortoiseSVN_en/tsvn-serversetup-apache.html#tsvn-serversetup-apache-6),
> The SSPI authentication is only enabled for SSL secured connections(https).

> What is wrong in my configuration?

> I only added /changed some contents in httpd.conf for SSPI below,

> Added

> LoadModule sspi_auth_module modules/mod_auth_sspi.so

> LoadModule dav_fs_module modules/mod_dav_fs.so

> SSPIAuth On
> SSPIAuthoritative On
> SSPIOfferBasic On

> and changed

> AuthType from 'Basic' to 'SSPI'

> AuthzSVNAccessFile from 'basic_auth_file' to 'SSPI_auth_file'.

> and other setting has not been changed. More details please find the attached.

As already mentioned, you either have changed the wrong block, ot your auth
cache still offers you valid credentials for basic auth HTTPS.
Try disabling SSPIOfferBasic first.

        <IfModule sspi_auth_module>
            Allow from all

            AuthName "Subversion repository"
            AuthType SSPI
            SSPIAuth On
            SSPIAuthoritative On
            SSPIOfferBasic On
            SSPIOmitDomain On
            SSPIUsernameCase lower
            SSPIBasicPreferred On

            # only developers may access the repository
            Require group "DAEMON1\CVS"

            # And they should obey to SVN user permissions file
            <IfModule authz_svn_module>
                AuthzSVNAccessFile "C:/home/svn/.registry"

I'm using "SSPIOfferBasic" only because I want remote Linux clients to be able
to authenticate in repository.

 Andrey Repin (anrdaemon_at_freemail.ru) 01.09.2009, <2:54>
Sorry for my terrible english...
To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_subversion.tigris.org].
Received on 2009-09-01 01:11:31 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.