Windows Authentication with Subversion on Windows

Man, oh, man! Setting this thing up was a pain in the arse. It took up most of my day! Anyway, hopefully, I can save someone else the heardache.

Here’s the setup: client – Windows XP, server – Windows Server 2003 running Subversion 1.2.1 and Apache 2.0.54. Within the Apache httpd.conf file, the following modules must be setup in order:

# Windows authentication module
LoadModule sspi_auth_module   modules/mod_auth_sspi.so

# subversion modules
LoadModule dav_svn_module "C:/Program Files/Subversion/bin/mod_dav_svn.so"
LoadModule authz_svn_module "C:/Program Files/Subversion/bin/mod_authz_svn.so"

Next, I had to setup my Subversion location (later in the same file):

<Location />
    DAV svn
    SVNParentPath "D:/Repository/"
    
    # authentication
    AuthName "Subversion Authentication"
    AuthType SSPI
    SSPIAuth On
    SSPIAuthoritative On
    SSPIDomain DOMAIN
    SSPIOfferBasic On
    Require valid-user
    
    # authorization
    AuthzSVNAccessFile "D:/Repository/authorization.conf"
</Location>

Finally, I had to setup a Subversion access file. With this file, I kind of took the easy way out. I only added developers with write access to the root and setup any other user with read-only to the root. I didn’t feel like messing with it much after that.

[groups]
dashboard-dev = DOMAIN\FLANAKINM, flanakinm

[/]
* = r
@dashboard-dev = rw

Here’s the important part to remember: you have to use two login names – one with and one without the domain. The reason for this, as I understand it, is because Subversion requires the former and the web browser requires the latter (that may be backwards).

Now, let me dig into this a little bit. The aforementioned modules are for Windows authentication, Subversion WebDAV, and Subversion authorization, respectively. That’s pretty simple – no real options there. You may notice that I chose to reference the Subversion modules from the Subversion directory. I believe most people move them to the Apache directory instead. Whatever works for you. I chose this method because, if they’re ever updated, that’s where they’d be installed after upgrading Subversion. Also of note, I used the mod_auth_sspi.so module from the TortoiseSVN website (link provided later). There’s supposed to be another one floating around with more features. The links I found to that one are all dead, so if anyone knows how to get it, let me know, please.

Next, let’s look at the location section. I’m only using Apache for Subversion (on port 9999), so I just setup the location to be the root (hence the “/”). The DAV svn is required for WebDAV and the SVNParentPath specifies that the parent directory of my repositories is located at “D:\Repository” (I used forward slashes (/), but I’m pretty sure you can use back slashes (\), too). Now, into the part that can be a pain… AuthName doesn’t matter, as far as I can tell; so use whatever makes sense (hell, you might even be able to omit it). AuthType SSPI tells Apache to use the SSPI module for Windows authentication. SSPIAuth On and SSPIAuthoritative On turn that authentication on. SSPIDomain specifies the domain you’re using – I believe this is optional. SSPIOfferBasic On tells Apache to provide basic authentication for non-IE connectors. Require valid-user tells Apache that all users must be authenticated in order to gain access to the location. Finally, the AuthzSVNAccessFile specifies the text file which holds the authorization rules.

I’m not going to get into this file too much. As I mentioned before, all you really need to know is that you have to have two entries per user: one with and one without the domain name.

For more information on the following areas, check out the respective links. Best of luck to you! (…you may need it)mod_auth_sspi.sohttp://tortoisesvn.tigris.org/mod_auth_sspi.zipTortoiseSVN FAQ: Windows Authentication on Linux (just in case you’re bored)http://tortoisesvn.berlios.de/?q=node/48TortoiseSVN FAQ: Windows Authentication on Windowshttp://tortoisesvn.berlios.de/?q=node/137TortoiseSVN Help: Windows Authentication with a Windows Domainhttp://tortoisesvn.sourceforge.net/docs/release/TortoiseSVN_en/ch03.html#tsvn-serversetup-apache-5Windows Domain Authentication (c/o Martin Tomes)http://www.subversionary.org/sspidomainauthSubversion Mail Archive: Getting NT Authorization Right with mod_auth_sspi.sohttp://svn.haxx.se/users/archive-2004-07/subject.shtml#580Mere-Moments Guide to installing a Subversion server on Windows (c/o Joe White)http://excastle.com/blog/archive/2005/05/31/1048.aspx?Pending=trueUltimately, the link that helped me the most was the Subversion users mail archive. I linked to the last post (they’re listed latest to earliest), so review those as needed.