Hi,
We run the subversion command line client (version 1.6.4) on Windows XP Professional, Service Pack 3.
The global settings section of the servers file is as follows:
-------------------------------------- Start ------------------------------------------------------------------------
[global]
http-proxy-exceptions = 192.168.*, 10.*, 127.*
http-proxy-host = <proxy server IP address?
http-proxy-port = 8080
http-proxy-username = <NT domain name>&92;<Windows username>
http-proxy-password = <Windows password>
http-compression = no
http-timeout = 60
neon-debug-mask = 255
#ssl-authority-files = /path/to/CAcert.pem;/path/to/CAcert2.pem
-------------------------------------- End ------------------------------------------------------------------------
Note that we’ve also tried “http-proxy-username = <NT domain name>\<Windows username>”, and that does not work either.
We are trying to access a remote Subversion server that requires https access. The proxy server we go through is not under our control, and issues an NTLM challenge to the subversion client, which fails because the subversion client cannot parse the NTLM challenge:
-------------------------------- Start -----------------------------
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Program Files\CollabNet Subversion Server>svn list https://<host>/<path>
ah_create, for WWW-Authenticate
Running pre_send hooks
Sending request headers:
OPTIONS /<path> HTTP/1.1
Host: <host>
User-Agent: SVN/1.6.4 (r38063) neon/0.28.2
Keep-Alive:
Proxy-Connection: Keep-Alive
Connection: TE
TE: trailers
Content-Type: text/xml
DAV: http://subversion.tigris.org/xmlns/dav/svn/depth
DAV: http://subversion.tigris.org/xmlns/dav/svn/mergeinfo
DAV: http://subversion.tigris.org/xmlns/dav/svn/log-revprops
Content-Length: 104
Sending request-line and headers:
Doing DNS lookup on <proxy ip address>...
Connecting to <proxy ip address>
ah_create, for Proxy-Authenticate
Running pre_send hooks
Sending request headers:
CONNECT <host>:443 HTTP/1.1
Host: <host>
User-Agent: SVN/1.6.4 (r38063) neon/0.28.2
Keep-Alive:
Proxy-Connection: Keep-Alive
Connection: TE
TE: trailers
Sending request-line and headers:
Request sent; retry is 0.
[status-line] < HTTP/1.1 407 Proxy Authentication Required
[hdr] Proxy-Authenticate: NTLM
Header Name: [proxy-authenticate], Value: [NTLM]
[hdr] Proxy-Authenticate: BASIC realm="<Realm Name>"
Header Name: [proxy-authenticate], Value: [BASIC realm="<Realm Name>"]
[hdr] Cache-Control: no-cache
Header Name: [cache-control], Value: [no-cache]
[hdr] Pragma: no-cache
Header Name: [pragma], Value: [no-cache]
[hdr] Content-Type: text/html; charset=utf-8
Header Name: [content-type], Value: [text/html; charset=utf-8]
[hdr] Proxy-Connection: close
Header Name: [proxy-connection], Value: [close]
[hdr] Set-Cookie: BCSI-CSAC10C819=2; Path=/
Header Name: [set-cookie], Value: [BCSI-CSAC10C819=2; Path=/]
[hdr] Connection: close
Header Name: [connection], Value: [close]
[hdr] Content-Length: 900
Header Name: [content-length], Value: [900]
[hdr]
End of headers.
Running post_headers hooks
Reading 900 bytes of response body.
Got 900 bytes.
Read block (900 bytes):
[<HTML><HEAD>
<IMG src="<<image url>">
<TITLE>Access Denied</TITLE>
</HEAD>
<BODY>
<FONT face="Helvetica">
<big><strong></strong></big><BR>
</FONT>
<blockquote>
<TABLE border=0 cellPadding=1 width="80%">
<TR><TD>
<FONT face="Helvetica">
<big><FONT COLOR="Blue">Access Denied (authentication_failed)</FONT></big>
<BR>
<BR>
</FONT>
</TD></TR>
<TR><TD>
<FONT face="Helvetica">
Your credentials could not be authenticated: "Credentials required.". You will not be permitted access until your credentials can be verified.
</FONT>
</TD></TR>
<TR><TD>
<FONT face="Helvetica">
This is typically caused by an incorrect username and/or password, but could also be caused by network problems.
</FONT>
</TD></TR>
<TR><TD>
<FONT face="Helvetica" SIZE=2>
<BR>
For assistance, contact xxxxxxxxxxxxxx.
</FONT>
</TD></TR>
</TABLE>
</blockquote>
</FONT>
</BODY></HTML>
]
Running post_send hooks
ah_post_send (#0), code is 407 (want 407), Proxy-Authenticate is NTLM, BASIC realm="<Realm Name>"
auth: Got challenge (code 407).
auth: Got 'NTLM' challenge.
auth: Got 'Basic' challenge.
auth: Trying NTLM challenge...
auth: SSPI challenge.
auth: SSPI challenge [TlRMTVNTUAABAAAAt7II4gkACQAwAAAACAAIACgAAAAFASgKAAAAD0Q4OE1OTjNKV09SS0dST1VQ]
auth: Accepted NTLM challenge.
sess: Closing connection.
sess: Connection closed.
Running pre_send hooks
auth: Sending 'NTLM' response.
Sending request headers:
CONNECT <host>:443 HTTP/1.1
Host: <host>
User-Agent: SVN/1.6.4 (r38063) neon/0.28.2
Keep-Alive:
Proxy-Connection: Keep-Alive
Connection: TE
TE: trailers
Proxy-Authorization: NTLM TlRMTVNTUAABAAAAt7II4gkACQAwAAAACAAIACgAAAAFASgKAAAAD0Q4OE1OTjNKV09SS0dST1VQ
Sending request-line and headers:
Connecting to <proxy ip address>
Request sent; retry is 0.
[status-line] < HTTP/1.1 407 Proxy Authentication Required
[hdr] Proxy-Authenticate: NTLM TlRMTVNTUAACAAAADgAOADgAAAA1goniOR+IXH68HhMAAAAAAAAAAGwAbABGAAAABQCTCAAAAA9BAFUAVABIAE8AUgBTAAIADgBBAFUAVABIAE8AUgBTAAEAEABEAFIAQQBOAEUAVAAwADEABAAUAGYAcwBhAC4AZwBvAHYALgB1AGsAAwAmAGQAcgBhAG4AZQB0ADAAMQAuAGYAcwBhAC4AZwBvAHYALgB1AGsAAAAAAA==
Header Name: [proxy-authenticate], Value: [NTLM TlRMTVNTUAACAAAADgAOADgAAAA1goniOR+IXH68HhMAAAAAAAAAAGwAbABGAAAABQCTCAAAAA9BAFUAVABIAE8AUgBTAAIADgBBAFUAVABIAE8AUgBTAAEAEABEAFIAQQBOAEUAVAAwADEABAAUAGYAcwBhAC4AZwBvAHYALgB1AGsAAwAmAGQAcgBhAG4AZQB0ADAAMQAuAGYAcwBhAC4AZwBvAHYALgB1AGsAAAAAAA==]
[hdr] Cache-Control: no-cache
Header Name: [cache-control], Value: [no-cache]
[hdr] Pragma: no-cache
Header Name: [pragma], Value: [no-cache]
[hdr] Content-Type: text/html; charset=utf-8
Header Name: [content-type], Value: [text/html; charset=utf-8]
[hdr] Proxy-Connection: Keep-Alive
Header Name: [proxy-connection], Value: [Keep-Alive]
[hdr] Set-Cookie: BCSI-CSAC10C819=2; Path=/
Header Name: [set-cookie], Value: [BCSI-CSAC10C819=2; Path=/]
[hdr] Connection: Keep-Alive
Header Name: [connection], Value: [Keep-Alive]
[hdr] Content-Length: 920
Header Name: [content-length], Value: [920]
[hdr]
End of headers.
Running post_headers hooks
Reading 920 bytes of response body.
Got 920 bytes.
Read block (920 bytes):
[<HTML><HEAD>
<IMG src="<<image url>">
<TITLE>Access Denied</TITLE>
</HEAD>
<BODY>
<FONT face="Helvetica">
<big><strong></strong></big><BR>
</FONT>
<blockquote>
<TABLE border=0 cellPadding=1 width="80%">
<TR><TD>
<FONT face="Helvetica">
<big><FONT COLOR="Blue">Access Denied (authentication_failed)</FONT></big>
<BR>
<BR>
</FONT>
</TD></TR>
<TR><TD>
<FONT face="Helvetica">
Your credentials could not be authenticated: "Another round of authentication required.". You will not be permitted access until your credentials can be verified.
</FONT>
</TD></TR>
<TR><TD>
<FONT face="Helvetica">
This is typically caused by an incorrect username and/or password, but could also be caused by network problems.
</FONT>
</TD></TR>
<TR><TD>
<FONT face="Helvetica" SIZE=2>
<BR>
For assistance, contact xxxxxxxxxxxxxxxx.
</FONT>
</TD></TR>
</TABLE>
</blockquote>
</FONT>
</BODY></HTML>
]
Running post_send hooks
ah_post_send (#1), code is 407 (want 407), Proxy-Authenticate is NTLM TlRMTVNTUAACAAAADgAOADgAAAA1goniOR+IXH68HhMAAAAAAAAAAGwAbABGAAAABQCTCAAAAA9BAFUAVABIAE8AUgBTAAIADgBBAFUAVABIAE8AUgBTAAEAEABEAFIAQQBOAEUAVAAwADEABAAUAGYAcwBhAC4AZwBvAHYALgB1AGsAAwAmAGQAcgBhAG4AZQB0ADAAMQAuAGYAcwBhAC4AZwBvAHYALgB1AGsAAAAAAA==
auth: Got challenge (code 407).
auth: Got 'NTLM' challenge.
auth: NTLM opaque parameter 'TlRMTVNTUAACAAAADgAOADgAAAA1goniOR+IXH68HhMAAAAAAAAAAGwAbABGAAAABQCTCAAAAA9BAFUAVABIAE8AUgBTAAIADgBBAFUAVABIAE8AUgBTAAEAEABEAFIAQQBOAEUAVAAwADEABAAUAGYAcwBhAC4AZwBvAHYALgB1AGsAAwAmAGQAcgBhAG4AZQB0ADAAMQAuAGYAcwBhAC4AZwBvAHYALgB1AGsAAAAAAA=='
auth: Trying NTLM challenge...
auth: SSPI challenge.
auth: SSPI challenge [TlRMTVNTUAADAAAAGAAYAH4AAAAYABgAlgAAABAAEABIAAAAFgAWAFgAAAAQABAAbgAAABAAEACuAAAANYKI4gUBKAoAAAAPRAA4ADgATQBOAE4AMwBKAFMAdABlAHYAZQAgAEIAcgBvAHcAbgBEADgAOABNAE4ATgAzAEoAd61IQ6EjQqUAAAAAAAAAAAAAAAAAAAAANEplC6Pv/EqRLpeGDL5alPSqVAK4GyWnpqlYG/ZyGlqpAF8St8tGkA==]
auth: Accepted NTLM challenge.
Running pre_send hooks
auth: Sending 'NTLM' response.
Sending request headers:
CONNECT <host>:443 HTTP/1.1
Host: <host>
User-Agent: SVN/1.6.4 (r38063) neon/0.28.2
Keep-Alive:
Proxy-Connection: Keep-Alive
Connection: TE
TE: trailers
Proxy-Authorization: NTLM TlRMTVNTUAADAAAAGAAYAH4AAAAYABgAlgAAABAAEABIAAAAFgAWAFgAAAAQABAAbgAAABAAEACuAAAANYKI4gUBKAoAAAAPRAA4ADgATQBOAE4AMwBKAFMAdABlAHYAZQAgAEIAcgBvAHcAbgBEADgAOABNAE4ATgAzAEoAd61IQ6EjQqUAAAAAAAAAAAAAAAAAAAAANEplC6Pv/EqRLpeGDL5alPSqVAK4GyWnpqlYG/ZyGlqpAF8St8tGkA==
Sending request-line and headers:
Request sent; retry is 1.
[status-line] < HTTP/1.1 407 Proxy Authentication Required
[hdr] Proxy-Authenticate: NTLM
Header Name: [proxy-authenticate], Value: [NTLM]
[hdr] Cache-Control: no-cache
Header Name: [cache-control], Value: [no-cache]
[hdr] Pragma: no-cache
Header Name: [pragma], Value: [no-cache]
[hdr] Content-Type: text/html; charset=utf-8
Header Name: [content-type], Value: [text/html; charset=utf-8]
[hdr] Proxy-Connection: close
Header Name: [proxy-connection], Value: [close]
[hdr] Set-Cookie: BCSI-CSAC10C819=2; Path=/
Header Name: [set-cookie], Value: [BCSI-CSAC10C819=2; Path=/]
[hdr] Connection: close
Header Name: [connection], Value: [close]
[hdr] Content-Length: 953
Header Name: [content-length], Value: [953]
[hdr]
End of headers.
Running post_headers hooks
Reading 953 bytes of response body.
Got 953 bytes.
Read block (953 bytes):
[<HTML><HEAD>
<IMG src="<<image url>">
<TITLE>Access Denied</TITLE>
</HEAD>
<BODY>
<FONT face="Helvetica">
<big><strong></strong></big><BR>
</FONT>
<blockquote>
<TABLE border=0 cellPadding=1 width="80%">
<TR><TD>
<FONT face="Helvetica">
<big><FONT COLOR="Blue">Access Denied (authentication_failed)</FONT></big>
<BR>
<BR>
</FONT>
</TD></TR>
<TR><TD>
<FONT face="Helvetica">
Your credentials could not be authenticated: "General authentication failure due to bad user ID or authentication token.". You will not be permitted access until your credentials can be verified.
</FONT>
</TD></TR>
<TR><TD>
<FONT face="Helvetica">
This is typically caused by an incorrect username and/or password, but could also be caused by network problems.
</FONT>
</TD></TR>
<TR><TD>
<FONT face="Helvetica" SIZE=2>
<BR>
For assistance, contact xxxxxxxxxxxxxxxxx.
</FONT>
</TD></TR>
</TABLE>
</blockquote>
</FONT>
</BODY></HTML>
]
Running post_send hooks
ah_post_send (#2), code is 407 (want 407), Proxy-Authenticate is NTLM
auth: Got challenge (code 407).
auth: Got 'NTLM' challenge.
auth: Trying NTLM challenge...
auth: SSPI challenge.
sspi: failing because starting over from failed try.
auth: No challenges accepted.
sess: Closing connection.
sess: Connection closed.
Request ends, status 407 class 4xx, error line:
Could not authenticate to proxy server: could not parse challenge
Running destroy hooks.
Request ends.
Request ends, status 0 class 0xx, error line:
Could not create SSL connection through proxy server: Could not authenticate to proxy server: could not parse challenge
Running destroy hooks.
Request ends.
svn: OPTIONS of 'https://<host>/<path>': Could not create SSL connection through proxy server: Could not authenticate to proxy server: could not parse challenge (https://<host>)
sess: Destroying session.
sess: Destroying session.
C:\Program Files\CollabNet Subversion Server>cd "\Program Files\CollabNet Subversion Server"
------------------------------- Finish -----------------------------
Any help in resolving this issue would be much appreciated.
Steve Brown
This communication and any attachments contains information which is confidential and may be subject to legal privilege. It is for intended recipients only. If you are not the intended recipient you must not copy, distribute, publish, rely on or otherwise use it without our consent. Some of our communications may contain confidential information which it could be a criminal offence for you to disclose or use without authority. If you have received this email in error please notify postmaster_at_fsa.gov.uk immediately and delete the email from your computer.
The FSA reserves the right to monitor all email communications for compliance with legal, regulatory and professional standards.
This email is not intended to nor should it be taken to create any legal relations or contractual relationships. This email has originated from
The Financial Services Authority (FSA)
25 The North Colonnade,
Canary Wharf,
London
E14 5HS
United Kingdom
Registered as a Limited Company in England and Wales No.1920623.
Registered Office as above
Switchboard: 020 7066 1000
Web Site: http://www.fsa.gov.uk
*****************************************************************
Received on 2010-01-21 12:26:27 CET