[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

"rejected Basic challenge" for one user only (Win/apache)

From: Cooke, Mark <mark.cooke_at_siemens.com>
Date: Wed, 12 Jan 2011 11:41:30 -0000

Hello,

We use TortoiseSVN from windows XP SP3 clients (required by corporate
policy) to connect to repos on windows server 2003:-

Apache/2.2.17 (Win32) DAV/2 mod_ssl/2.2.17 OpenSSL/0.9.8o mod_wsgi/3.3
Python/2.6.4 SVN/1.6.15

I have one single user (amongst 15 or so) who is experiencing
authentication issues and need some help in working out what is wrong
for him alone.

Background:

We moved to svn and Trac about 18 months ago (when I joined) and I have
configured everything. We started using mod_sspi for authentication as
I could not understand (nor get local help for) the decorated names etc
used by LDAP. That was working but then this one user stopped being
able to use svn at all. As he had trouble accessing the server at all
(which uses SSL and global authentication) I blamed SSPI and finally
found the info I needed to get LDAP working against our Active Directory
forest.

My user can now access the server and browse the source tree fine (I use
the TortoiseSVN xslt config and each department has their own parentpath
set of repos). However, he still cannot checkout or update. From using
tortoise we installed svn command line that we use on the server (from
alagazam, thanks David Darj!) and we are seeing the following error:

Authentication realm: <https://server.company.net:443> Dept Applications
server
Password for 'user_a': *********
Authentication realm: <https://server.company.net:443> Dept Applications
server
Username: domain\user_a
Password for 'domain\user_a': *********
Authentication realm: <https://server.company.net:443> Dept Applications
server

Username: svn: OPTIONS of
'https://server.company.net/svn/dept/project/trunk': authorization
failed: Could not authenticate to server: rejected Basic challenge
(https://server.company.net)

We know the same username/password works against the apache server and
we use the same authz file for path based authentication from both
apache and subversion direct. All other users work OK, just this one
user is having problems. We have cleared all cached data using tortoise
then uninstalled and rebooted before re-installing tortoise. We then
tried the svn cli again (generating the info above) to make sure it was
svn and not specific to tortoise.

Here is the sanitised authentication section from httpd conf (I know
Basic is plain text but all traffic is redirected to SSL https and the
standard client here is IE6):

<Location />
    Order allow,deny
    Allow from all

    AuthName "Dept Applications server"
    AuthType Basic
    AuthBasicProvider ldap
    AuthzLDAPAuthoritative on

    # The LDAP query URL ~ upgrading to a secure connection once
connected...
    AuthLDAPURL
"ldap://adserver:3268/DC=blah,DC=blah,DC=blah?sAMAccountName,mail?sub?(o
bjectClass=*)" TLS

    # Active Directory requires an authenticating DN to access records
    AuthLDAPBindDN <ad-username>
    AuthLDAPBindPassword <ad-password>

    Require valid-user
</Location>

...and the department svn root:

<Location /svn/dept/>
    DAV svn
    SVNIndexXSLT "/subversion/svnindex.xsl"
    SVNParentPath D:/svn/dept/
    SVNListParentPath On
    # restrict access to subversion repository paths...
    AuthzForceUsernameCase Lower
    AuthzSVNAccessFile d:/path-to/svn-users.txt
</Location>

...and the relevant bits of svn-users.txt:

[aliases]
bryanb = user_a

# Give all authenticated users read access to the root
# NB: use "* = " for all [repo:/] sections to remove access
[/]
&bryanb = rw
user_a = rw

...note that I have granted rights to both the alias and the user's ID
to see if that helped (no change).

Finally, here are sample errors from the apache log file:

[Wed Jan 12 10:06:38 2011] [error] [client ip-address] user user_a:
authentication failure for "/svn/dept/project/trunk": Password Mismatch
[Wed Jan 12 10:18:42 2011] [error] [client ip-address] user
domain\\user_a not found: /svn/dept/project/trunk

I do not understand where the 'Password Mismatch' error is coming from,
why does that only happen when using subversion and not the browser? I
have tried searching for "rejected Basic challenge" (both svn.haxx.se
and the wider net) but I've not found anything that hes helped so far.

Please can someone help me with where to go next?

Many thanks,

~ mark c
Received on 2011-01-12 12:42:16 CET

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.