Dear List,
Replying to myself in the hope this may catch some more eyes. More info
inline below...
> -----Original Message-----
> From: Cooke, Mark
> Sent: 12 January 2011 11:42
> Subject: "rejected Basic challenge" for one user only (Win/apache)
>
> Hello,
>
> We use TortoiseSVN from windows XP SP3 clients (required by corporate
> policy) to connect to repos on windows server 2003:-
>
> Apache/2.2.17 (Win32) DAV/2 mod_ssl/2.2.17 OpenSSL/0.9.8o mod_wsgi/3.3
> Python/2.6.4 SVN/1.6.15
>
> I have one single user (amongst 15 or so) who is experiencing
> authentication issues and need some help in working out what is wrong
> for him alone.
>
> Background:
>
> We moved to svn and Trac about 18 months ago (when I joined) and I
> have configured everything. We started using mod_sspi for
> authentication as I could not understand (nor get local help for)
> the decorated names etc used by LDAP. That was working but then
> this one user stopped being able to use svn at all. As he had
> trouble accessing the server at all (which uses SSL and global
> authentication) I blamed SSPI and finally found the info I needed
> to get LDAP working against our Active Directory forest.
>
> My user can now access the server and browse the source tree fine
> (I use the TortoiseSVN xslt config and each department has their
> own parentpath set of repos). However, he still cannot checkout
> or update. From using tortoise we installed svn command line that
> we use on the server (from alagazam, thanks David Darj!) and we
> are seeing the following error:
>
> Authentication realm: <https://server.company.net:443> Dept
> Applications server
> Password for 'user_a': *********
> Authentication realm: <https://server.company.net:443> Dept
> Applications server
> Username: domain\user_a
> Password for 'domain\user_a': *********
> Authentication realm: <https://server.company.net:443> Dept
> Applications server
>
> Username: svn: OPTIONS of
> 'https://server.company.net/svn/dept/project/trunk': authorization
> failed: Could not authenticate to server: rejected Basic challenge
> (https://server.company.net)
>
> We know the same username/password works against the apache server and
> we use the same authz file for path based authentication from both
> apache and subversion direct. All other users work OK, just this one
> user is having problems. We have cleared all cached data using
> tortoise then uninstalled and rebooted before re-installing tortoise.
> We then tried the svn cli again (generating the info above) to make
> sure it was svn and not specific to tortoise.
>
> Here is the sanitised authentication section from httpd conf (I know
> Basic is plain text but all traffic is redirected to SSL https and the
> standard client here is IE6):
>
> <Location />
> Order allow,deny
> Allow from all
>
> AuthName "Dept Applications server"
> AuthType Basic
> AuthBasicProvider ldap
> AuthzLDAPAuthoritative on
>
> # The LDAP query URL
> AuthLDAPURL
> "ldap://adserver:3268/DC=blah,DC=blah,DC=blah?sAMAccountName,m
> ail?sub?(objectClass=*)" TLS
>
> # Active Directory requires an authenticating DN to access records
> AuthLDAPBindDN <ad-username>
> AuthLDAPBindPassword <ad-password>
>
> Require valid-user
> </Location>
>
> ...and the department svn root:
>
> <Location /svn/dept/>
> DAV svn
> SVNIndexXSLT "/subversion/svnindex.xsl"
> SVNParentPath D:/svn/dept/
> SVNListParentPath On
> # restrict access to subversion repository paths...
> AuthzForceUsernameCase Lower
> AuthzSVNAccessFile d:/path-to/svn-users.txt
> </Location>
>
> ...and the relevant bits of svn-users.txt:
>
> [aliases]
> bryanb = user_a
>
> # Give all authenticated users read access to the root
> # NB: use "* = " for all [repo:/] sections to remove access
> [/]
> &bryanb = rw
> user_a = rw
>
> ...note that I have granted rights to both the alias and the user's
> ID to see if that helped (no change).
>
> Finally, here are sample errors from the apache log file:
>
> [Wed Jan 12 10:06:38 2011] [error] [client ip-address] user user_a:
> authentication failure for "/svn/dept/project/trunk":
> Password Mismatch
> [Wed Jan 12 10:18:42 2011] [error] [client ip-address] user
> domain\\user_a not found: /svn/dept/project/trunk
>
> I do not understand where the 'Password Mismatch' error is
> coming from, why does that only happen when using subversion
> and not the browser? I have tried searching for "rejected Basic
> challenge" (both svn.haxx.se and the wider net) but I've not found
> anything that hes helped so far.
>
From what I have found, this should indicate that the server is
rejecting the cached credentials and so the client is prompting for
updated credentials. However, the user can browse the repos using IE
and https through the server (which applies blanket authorisation
through the <Location \> directive) which makes me suspect svn somehow
instead of apache.
I have also tried disabling the AuthzSVNAccessFile (including bouncing
apache) but that made no difference.
What can I do to try to work out what the problem is? It is only svn
and (currently) for only this one user... I'd really appreciate any
help at this point.
~ mark c
Received on 2011-01-14 14:19:45 CET