[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Subversion access via a proxy that requires NTLM fails

From: Steve Brown <Steve.Brown_at_fsa.gov.uk>
Date: Thu, 21 Jan 2010 11:20:56 -0000

Hi,

 

We run the subversion command line client (version 1.6.4) on Windows XP Professional, Service Pack 3.

 

The global settings section of the servers file is as follows:

 

-------------------------------------- Start ------------------------------------------------------------------------

[global]

http-proxy-exceptions = 192.168.*, 10.*, 127.*

http-proxy-host = <proxy server IP address?

http-proxy-port = 8080

http-proxy-username = <NT domain name>&92;<Windows username>

http-proxy-password = <Windows password>

http-compression = no

http-timeout = 60

neon-debug-mask = 255

#ssl-authority-files = /path/to/CAcert.pem;/path/to/CAcert2.pem

-------------------------------------- End ------------------------------------------------------------------------

 

Note that we’ve also tried “http-proxy-username = <NT domain name>\<Windows username>”, and that does not work either.

 

We are trying to access a remote Subversion server that requires https access. The proxy server we go through is not under our control, and issues an NTLM challenge to the subversion client, which fails because the subversion client cannot parse the NTLM challenge:

 

-------------------------------- Start -----------------------------

Microsoft Windows XP [Version 5.1.2600]

(C) Copyright 1985-2001 Microsoft Corp.

 

 

C:\Program Files\CollabNet Subversion Server>svn list https://<host>/<path>

ah_create, for WWW-Authenticate

Running pre_send hooks

Sending request headers:

OPTIONS /<path> HTTP/1.1

Host: <host>

User-Agent: SVN/1.6.4 (r38063) neon/0.28.2

Keep-Alive:

Proxy-Connection: Keep-Alive

Connection: TE

TE: trailers

Content-Type: text/xml

DAV: http://subversion.tigris.org/xmlns/dav/svn/depth

DAV: http://subversion.tigris.org/xmlns/dav/svn/mergeinfo

DAV: http://subversion.tigris.org/xmlns/dav/svn/log-revprops

Content-Length: 104

 

Sending request-line and headers:

Doing DNS lookup on <proxy ip address>...

Connecting to <proxy ip address>

ah_create, for Proxy-Authenticate

Running pre_send hooks

Sending request headers:

CONNECT <host>:443 HTTP/1.1

Host: <host>

User-Agent: SVN/1.6.4 (r38063) neon/0.28.2

Keep-Alive:

Proxy-Connection: Keep-Alive

Connection: TE

TE: trailers

 

Sending request-line and headers:

Request sent; retry is 0.

[status-line] < HTTP/1.1 407 Proxy Authentication Required

[hdr] Proxy-Authenticate: NTLM

Header Name: [proxy-authenticate], Value: [NTLM]

[hdr] Proxy-Authenticate: BASIC realm="<Realm Name>"

Header Name: [proxy-authenticate], Value: [BASIC realm="<Realm Name>"]

[hdr] Cache-Control: no-cache

Header Name: [cache-control], Value: [no-cache]

[hdr] Pragma: no-cache

Header Name: [pragma], Value: [no-cache]

[hdr] Content-Type: text/html; charset=utf-8

Header Name: [content-type], Value: [text/html; charset=utf-8]

[hdr] Proxy-Connection: close

Header Name: [proxy-connection], Value: [close]

[hdr] Set-Cookie: BCSI-CSAC10C819=2; Path=/

Header Name: [set-cookie], Value: [BCSI-CSAC10C819=2; Path=/]

[hdr] Connection: close

Header Name: [connection], Value: [close]

[hdr] Content-Length: 900

Header Name: [content-length], Value: [900]

[hdr]

End of headers.

Running post_headers hooks

Reading 900 bytes of response body.

Got 900 bytes.

Read block (900 bytes):

[<HTML><HEAD>

<IMG src="<<image url>">

<TITLE>Access Denied</TITLE>

</HEAD>

<BODY>

<FONT face="Helvetica">

<big><strong></strong></big><BR>

</FONT>

<blockquote>

<TABLE border=0 cellPadding=1 width="80%">

<TR><TD>

<FONT face="Helvetica">

<big><FONT COLOR="Blue">Access Denied (authentication_failed)</FONT></big>

<BR>

<BR>

</FONT>

</TD></TR>

<TR><TD>

<FONT face="Helvetica">

Your credentials could not be authenticated: "Credentials required.". You will not be permitted access until your credentials can be verified.

</FONT>

</TD></TR>

<TR><TD>

<FONT face="Helvetica">

This is typically caused by an incorrect username and/or password, but could also be caused by network problems.

</FONT>

</TD></TR>

<TR><TD>

<FONT face="Helvetica" SIZE=2>

<BR>

For assistance, contact xxxxxxxxxxxxxx.

</FONT>

</TD></TR>

</TABLE>

</blockquote>

</FONT>

</BODY></HTML>

]

Running post_send hooks

ah_post_send (#0), code is 407 (want 407), Proxy-Authenticate is NTLM, BASIC realm="<Realm Name>"

auth: Got challenge (code 407).

auth: Got 'NTLM' challenge.

auth: Got 'Basic' challenge.

auth: Trying NTLM challenge...

auth: SSPI challenge.

auth: SSPI challenge [TlRMTVNTUAABAAAAt7II4gkACQAwAAAACAAIACgAAAAFASgKAAAAD0Q4OE1OTjNKV09SS0dST1VQ]

auth: Accepted NTLM challenge.

sess: Closing connection.

sess: Connection closed.

Running pre_send hooks

auth: Sending 'NTLM' response.

Sending request headers:

CONNECT <host>:443 HTTP/1.1

Host: <host>

User-Agent: SVN/1.6.4 (r38063) neon/0.28.2

Keep-Alive:

Proxy-Connection: Keep-Alive

Connection: TE

TE: trailers

Proxy-Authorization: NTLM TlRMTVNTUAABAAAAt7II4gkACQAwAAAACAAIACgAAAAFASgKAAAAD0Q4OE1OTjNKV09SS0dST1VQ

 

Sending request-line and headers:

Connecting to <proxy ip address>

Request sent; retry is 0.

[status-line] < HTTP/1.1 407 Proxy Authentication Required

[hdr] Proxy-Authenticate: NTLM TlRMTVNTUAACAAAADgAOADgAAAA1goniOR+IXH68HhMAAAAAAAAAAGwAbABGAAAABQCTCAAAAA9BAFUAVABIAE8AUgBTAAIADgBBAFUAVABIAE8AUgBTAAEAEABEAFIAQQBOAEUAVAAwADEABAAUAGYAcwBhAC4AZwBvAHYALgB1AGsAAwAmAGQAcgBhAG4AZQB0ADAAMQAuAGYAcwBhAC4AZwBvAHYALgB1AGsAAAAAAA==

Header Name: [proxy-authenticate], Value: [NTLM TlRMTVNTUAACAAAADgAOADgAAAA1goniOR+IXH68HhMAAAAAAAAAAGwAbABGAAAABQCTCAAAAA9BAFUAVABIAE8AUgBTAAIADgBBAFUAVABIAE8AUgBTAAEAEABEAFIAQQBOAEUAVAAwADEABAAUAGYAcwBhAC4AZwBvAHYALgB1AGsAAwAmAGQAcgBhAG4AZQB0ADAAMQAuAGYAcwBhAC4AZwBvAHYALgB1AGsAAAAAAA==]

[hdr] Cache-Control: no-cache

Header Name: [cache-control], Value: [no-cache]

[hdr] Pragma: no-cache

Header Name: [pragma], Value: [no-cache]

[hdr] Content-Type: text/html; charset=utf-8

Header Name: [content-type], Value: [text/html; charset=utf-8]

[hdr] Proxy-Connection: Keep-Alive

Header Name: [proxy-connection], Value: [Keep-Alive]

[hdr] Set-Cookie: BCSI-CSAC10C819=2; Path=/

Header Name: [set-cookie], Value: [BCSI-CSAC10C819=2; Path=/]

[hdr] Connection: Keep-Alive

Header Name: [connection], Value: [Keep-Alive]

[hdr] Content-Length: 920

Header Name: [content-length], Value: [920]

[hdr]

End of headers.

Running post_headers hooks

Reading 920 bytes of response body.

Got 920 bytes.

Read block (920 bytes):

[<HTML><HEAD>

<IMG src="<<image url>">

<TITLE>Access Denied</TITLE>

</HEAD>

<BODY>

<FONT face="Helvetica">

<big><strong></strong></big><BR>

</FONT>

<blockquote>

<TABLE border=0 cellPadding=1 width="80%">

<TR><TD>

<FONT face="Helvetica">

<big><FONT COLOR="Blue">Access Denied (authentication_failed)</FONT></big>

<BR>

<BR>

</FONT>

</TD></TR>

<TR><TD>

<FONT face="Helvetica">

Your credentials could not be authenticated: "Another round of authentication required.". You will not be permitted access until your credentials can be verified.

</FONT>

</TD></TR>

<TR><TD>

<FONT face="Helvetica">

This is typically caused by an incorrect username and/or password, but could also be caused by network problems.

</FONT>

</TD></TR>

<TR><TD>

<FONT face="Helvetica" SIZE=2>

<BR>

For assistance, contact xxxxxxxxxxxxxxxx.

</FONT>

</TD></TR>

</TABLE>

</blockquote>

</FONT>

</BODY></HTML>

]

Running post_send hooks

ah_post_send (#1), code is 407 (want 407), Proxy-Authenticate is NTLM TlRMTVNTUAACAAAADgAOADgAAAA1goniOR+IXH68HhMAAAAAAAAAAGwAbABGAAAABQCTCAAAAA9BAFUAVABIAE8AUgBTAAIADgBBAFUAVABIAE8AUgBTAAEAEABEAFIAQQBOAEUAVAAwADEABAAUAGYAcwBhAC4AZwBvAHYALgB1AGsAAwAmAGQAcgBhAG4AZQB0ADAAMQAuAGYAcwBhAC4AZwBvAHYALgB1AGsAAAAAAA==

auth: Got challenge (code 407).

auth: Got 'NTLM' challenge.

auth: NTLM opaque parameter 'TlRMTVNTUAACAAAADgAOADgAAAA1goniOR+IXH68HhMAAAAAAAAAAGwAbABGAAAABQCTCAAAAA9BAFUAVABIAE8AUgBTAAIADgBBAFUAVABIAE8AUgBTAAEAEABEAFIAQQBOAEUAVAAwADEABAAUAGYAcwBhAC4AZwBvAHYALgB1AGsAAwAmAGQAcgBhAG4AZQB0ADAAMQAuAGYAcwBhAC4AZwBvAHYALgB1AGsAAAAAAA=='

auth: Trying NTLM challenge...

auth: SSPI challenge.

auth: SSPI challenge [TlRMTVNTUAADAAAAGAAYAH4AAAAYABgAlgAAABAAEABIAAAAFgAWAFgAAAAQABAAbgAAABAAEACuAAAANYKI4gUBKAoAAAAPRAA4ADgATQBOAE4AMwBKAFMAdABlAHYAZQAgAEIAcgBvAHcAbgBEADgAOABNAE4ATgAzAEoAd61IQ6EjQqUAAAAAAAAAAAAAAAAAAAAANEplC6Pv/EqRLpeGDL5alPSqVAK4GyWnpqlYG/ZyGlqpAF8St8tGkA==]

auth: Accepted NTLM challenge.

Running pre_send hooks

auth: Sending 'NTLM' response.

Sending request headers:

CONNECT <host>:443 HTTP/1.1

Host: <host>

User-Agent: SVN/1.6.4 (r38063) neon/0.28.2

Keep-Alive:

Proxy-Connection: Keep-Alive

Connection: TE

TE: trailers

Proxy-Authorization: NTLM TlRMTVNTUAADAAAAGAAYAH4AAAAYABgAlgAAABAAEABIAAAAFgAWAFgAAAAQABAAbgAAABAAEACuAAAANYKI4gUBKAoAAAAPRAA4ADgATQBOAE4AMwBKAFMAdABlAHYAZQAgAEIAcgBvAHcAbgBEADgAOABNAE4ATgAzAEoAd61IQ6EjQqUAAAAAAAAAAAAAAAAAAAAANEplC6Pv/EqRLpeGDL5alPSqVAK4GyWnpqlYG/ZyGlqpAF8St8tGkA==

 

Sending request-line and headers:

Request sent; retry is 1.

[status-line] < HTTP/1.1 407 Proxy Authentication Required

[hdr] Proxy-Authenticate: NTLM

Header Name: [proxy-authenticate], Value: [NTLM]

[hdr] Cache-Control: no-cache

Header Name: [cache-control], Value: [no-cache]

[hdr] Pragma: no-cache

Header Name: [pragma], Value: [no-cache]

[hdr] Content-Type: text/html; charset=utf-8

Header Name: [content-type], Value: [text/html; charset=utf-8]

[hdr] Proxy-Connection: close

Header Name: [proxy-connection], Value: [close]

[hdr] Set-Cookie: BCSI-CSAC10C819=2; Path=/

Header Name: [set-cookie], Value: [BCSI-CSAC10C819=2; Path=/]

[hdr] Connection: close

Header Name: [connection], Value: [close]

[hdr] Content-Length: 953

Header Name: [content-length], Value: [953]

[hdr]

End of headers.

Running post_headers hooks

Reading 953 bytes of response body.

Got 953 bytes.

Read block (953 bytes):

[<HTML><HEAD>

<IMG src="<<image url>">

<TITLE>Access Denied</TITLE>

</HEAD>

<BODY>

<FONT face="Helvetica">

<big><strong></strong></big><BR>

</FONT>

<blockquote>

<TABLE border=0 cellPadding=1 width="80%">

<TR><TD>

<FONT face="Helvetica">

<big><FONT COLOR="Blue">Access Denied (authentication_failed)</FONT></big>

<BR>

<BR>

</FONT>

</TD></TR>

<TR><TD>

<FONT face="Helvetica">

Your credentials could not be authenticated: "General authentication failure due to bad user ID or authentication token.". You will not be permitted access until your credentials can be verified.

</FONT>

</TD></TR>

<TR><TD>

<FONT face="Helvetica">

This is typically caused by an incorrect username and/or password, but could also be caused by network problems.

</FONT>

</TD></TR>

<TR><TD>

<FONT face="Helvetica" SIZE=2>

<BR>

For assistance, contact xxxxxxxxxxxxxxxxx.

</FONT>

</TD></TR>

</TABLE>

</blockquote>

</FONT>

</BODY></HTML>

]

Running post_send hooks

ah_post_send (#2), code is 407 (want 407), Proxy-Authenticate is NTLM

auth: Got challenge (code 407).

auth: Got 'NTLM' challenge.

auth: Trying NTLM challenge...

auth: SSPI challenge.

sspi: failing because starting over from failed try.

auth: No challenges accepted.

sess: Closing connection.

sess: Connection closed.

Request ends, status 407 class 4xx, error line:

Could not authenticate to proxy server: could not parse challenge

Running destroy hooks.

Request ends.

Request ends, status 0 class 0xx, error line:

Could not create SSL connection through proxy server: Could not authenticate to proxy server: could not parse challenge

Running destroy hooks.

Request ends.

svn: OPTIONS of 'https://<host>/<path>': Could not create SSL connection through proxy server: Could not authenticate to proxy server: could not parse challenge (https://<host>)

sess: Destroying session.

sess: Destroying session.

 

C:\Program Files\CollabNet Subversion Server>cd "\Program Files\CollabNet Subversion Server"

------------------------------- Finish -----------------------------

 

Any help in resolving this issue would be much appreciated.

 

 

 

Steve Brown

 

 

 




This communication and any attachments contains information which is confidential and may be subject to legal privilege. It is for intended recipients only. If you are not the intended recipient you must not copy, distribute, publish, rely on or otherwise use it without our consent. Some of our communications may contain confidential information which it could be a criminal offence for you to disclose or use without authority. If you have received this email in error please notify postmaster_at_fsa.gov.uk immediately and delete the email from your computer.
The FSA reserves the right to monitor all email communications for compliance with legal, regulatory and professional standards.
This email is not intended to nor should it be taken to create any legal relations or contractual relationships. This email has originated from
The Financial Services Authority (FSA)
25 The North Colonnade,
Canary Wharf,
London
E14 5HS
United Kingdom
Registered as a Limited Company in England and Wales No.1920623.
Registered Office as above
Switchboard: 020 7066 1000
Web Site: http://www.fsa.gov.uk
*****************************************************************

Received on 2010-01-21 12:26:27 CET

This is an archived mail posted to the Subversion Users mailing list.