Michael Flanakin's Web Log

Comments and complaints on software and technology in general
  Home  |   Contact  |   Syndication    |   Login
  159 Posts | 18 Stories | 89 Comments | 530 Trackbacks

News

This weblog is no longer being maintained. For the latest, check out www.michaelflanakin.com!

Article Categories

Archives

Post Categories

Image Galleries

Miscellaneous

Windows Authentication with Subversion on Windows

Man, oh, man! Setting this thing up was a pain in the arse. It took up most of my day! Anyway, hopefully, I can save someone else the heardache.

Here's the setup: client - Windows XP, server - Windows Server 2003 running Subversion 1.2.1 and Apache 2.0.54. Within the Apache httpd.conf file, the following modules must be setup in order: 

# Windows authentication module
LoadModule sspi_auth_module   modules/mod_auth_sspi.so

# subversion modules
LoadModule dav_svn_module "C:/Program Files/Subversion/bin/mod_dav_svn.so"
LoadModule authz_svn_module "C:/Program Files/Subversion/bin/mod_authz_svn.so"
Next, I had to setup my Subversion location (later in the same file): 
<Location />
    DAV svn
    SVNParentPath "D:/Repository/"
    
    # authentication
    AuthName "Subversion Authentication"
    AuthType SSPI
    SSPIAuth On
    SSPIAuthoritative On
    SSPIDomain DOMAIN
    SSPIOfferBasic On
    Require valid-user
    
    # authorization
    AuthzSVNAccessFile "D:/Repository/authorization.conf"
</Location>
Finally, I had to setup a Subversion access file. With this file, I kind of took the easy way out. I only added developers with write access to the root and setup any other user with read-only to the root. I didn't feel like messing with it much after that. 
[groups]
dashboard-dev = DOMAIN\FLANAKINM, flanakinm

[/]
* = r
@dashboard-dev = rw
Here's the important part to remember: you have to use two login names - one with and one without the domain. The reason for this, as I understand it, is because Subversion requires the former and the web browser requires the latter (that may be backwards).

Now, let me dig into this a little bit. The aforementioned modules are for Windows authentication, Subversion WebDAV, and Subversion authorization, respectively. That's pretty simple - no real options there. You may notice that I chose to reference the Subversion modules from the Subversion directory. I believe most people move them to the Apache directory instead. Whatever works for you. I chose this method because, if they're ever updated, that's where they'd be installed after upgrading Subversion. Also of note, I used the mod_auth_sspi.so module from the TortoiseSVN website (link provided later). There's supposed to be another one floating around with more features. The links I found to that one are all dead, so if anyone knows how to get it, let me know, please.

Next, let's look at the location section. I'm only using Apache for Subversion (on port 9999), so I just setup the location to be the root (hence the "/"). The DAV svn is required for WebDAV and the SVNParentPath specifies that the parent directory of my repositories is located at "D:\Repository" (I used forward slashes (/), but I'm pretty sure you can use back slashes (\), too). Now, into the part that can be a pain... AuthName doesn't matter, as far as I can tell; so use whatever makes sense (hell, you might even be able to omit it). AuthType SSPI tells Apache to use the SSPI module for Windows authentication. SSPIAuth On and SSPIAuthoritative On turn that authentication on. SSPIDomain specifies the domain you're using - I believe this is optional. SSPIOfferBasic On tells Apache to provide basic authentication for non-IE connectors. Require valid-user tells Apache that all users must be authenticated in order to gain access to the location. Finally, the AuthzSVNAccessFile specifies the text file which holds the authorization rules.

I'm not going to get into this file too much. As I mentioned before, all you really need to know is that you have to have two entries per user: one with and one without the domain name.

For more information on the following areas, check out the respective links. Best of luck to you! (...you may need it)

mod_auth_sspi.so
http://tortoisesvn.tigris.org/mod_auth_sspi.zip
TortoiseSVN FAQ: Windows Authentication on Linux (just in case you're bored)
http://tortoisesvn.berlios.de/?q=node/48
TortoiseSVN FAQ: Windows Authentication on Windows
http://tortoisesvn.berlios.de/?q=node/137
TortoiseSVN Help: Windows Authentication with a Windows Domain
http://tortoisesvn.sourceforge.net/docs/release/TortoiseSVN_en/ch03.html#tsvn-serversetup-apache-5
Windows Domain Authentication (c/o Martin Tomes)
http://www.subversionary.org/sspidomainauth
Subversion Mail Archive: Getting NT Authorization Right with mod_auth_sspi.so
http://svn.haxx.se/users/archive-2004-07/subject.shtml#580
Mere-Moments Guide to installing a Subversion server on Windows (c/o Joe White)
http://excastle.com/blog/archive/2005/05/31/1048.aspx?Pending=true
Ultimately, the link that helped me the most was the Subversion users mail archive. I linked to the last post (they're listed latest to earliest), so review those as needed.

posted on Wednesday, August 31, 2005 10:56 AM

Feedback

# re: Windows Authentication with Subversion on Windows 9/1/2005 5:51 AM John Watson
Bless you!!! I am just about to embark on this very same configuration.

# re: Windows Authentication with Subversion on Windows 9/1/2005 7:00 AM Michael Flanakin
Best of luck. Feel free to email me or post any questions/comments.


# re: Windows Authentication with Subversion on Windows 9/27/2005 1:30 AM Error
Hi, i have a problem with apache. If i use your code in httpd.conf, apache not start. The error is in line DAV svn, what can it be?

# re: Windows Authentication with Subversion on Windows 9/27/2005 3:27 AM Michael Flanakin
Do you have the mod_dav_svn.so mapped correctly? If so, check on the mod_dav.so module - I think that's the right name. mod_dav needs to be before mod_dav_svn. My guess is that's where your problem is.

# re: Windows Authentication with Subversion on Windows 9/27/2005 11:25 PM Jojje
I had problems with mod_dav_svn when I was running an old version of Apache, 2.0.52 with Subversion 1.2.3. The problem was solved when I upgraded to Apache 2.0.54.

# Securing SubVersion Repository configured to use Windows Authentication 12/1/2005 3:02 AM Khurram Aziz
I recently needed to secure the SubVersion repository. I am using SubVersion with Apache on Windows;...

# re: Windows Authentication with Subversion on Windows 1/6/2006 1:56 PM MattBrown
Using your post, I was able to get 99% of the way there. One thing you might want to mention is that the error log shows the user name that is being given to Apache, as well as the string that should be in brackets in the auth file. My auth file has to look like the following to work:


[groups]
grp = DOMAIN\user, user

[repo:/]
grp = rw



The error I was getting is below and is what ultimately led me to try changing the repository string.

Access denied: 'user' GET repo:/

# re: Windows Authentication with Subversion on Windows 2/6/2006 5:53 AM zhenya_k
Use as shown above:
[groups]
grp = DOMAIN\user, user

[repo:/]
@grp = rw


# re: Windows Authentication with Subversion on Windows 3/3/2006 1:30 AM PixelJuice
I've set this up for trac and Subversion, I can authenticate alright using IE / Firefox. However, even when I'm logged onto the domain on the LAN I get prompted for password. I tried setting SSPIOfferBasic Off and SSPIOfferSSPI On and vice versa - still get the annoying prompt on IE (but if I put in the correct username/password it does authenticate properly). Any suggestions??

# re: Windows Authentication with Subversion on Windows 3/3/2006 3:29 AM Michael Flanakin
This is always how it's worked. I think TortoiseSVN can be setup to work automatically, but I'm not sure how to set that up.

# re: Windows Authentication with Subversion on Windows 3/23/2006 9:26 PM Corey
I use TortoiseSVN1.3.2 to be the client. Can it use Windows Authentication and how?

# re: Windows Authentication with Subversion on Windows 3/24/2006 7:41 AM Michael Flanakin
I thought I saw something about using Windows Authentication with TSVN, but when I started using 1.3, I was always asked for my user credentials. I haven't really looked into it again since all I had to do was type my username/password in for my LAN account. I figured I was just mistaken. There's probably some setting for it that I haven't noticed - I haven't really looked.

# Subversion over Apache Httpd over SSL with Basic Auth on Windows 2003 Server box... 3/31/2006 2:13 AM Rexiology::Work
&nbsp;
Ok, after a full installation of Subversion on my server, here is the complete installation steps...

# Subversion over Apache Httpd over SSL with Basic Auth on Windows 2003 Server box... 3/31/2006 2:15 AM Rexiology...
&nbsp;
crosspost from http://rextang.net/blogs/work/
Ok, after a full installation of Subversion on...

# re: Windows Authentication with Subversion on Windows 8/18/2006 10:47 AM Mark Holzapfel
Has anyone done SSPI this with a Windows group in place of a user? It woudl make administration simpler...

# re: Windows Authentication with Subversion on Windows 10/17/2006 12:26 PM lsabug
I would also like to know if AD groups can be used with sspi. Also, is there a recent binary (so I don't have to compile-I keep getting an error message when i run make) so I don't have to compile mod_auth_sspi?
Thanks.

# re: Windows Authentication with Subversion on Windows 11/3/2006 1:23 AM Murthy
I need windows authentication with Subversion without appache server. II tried with the way you mentioned, during the commit i am getting the access denied error messge.

# Setting up a Subversion server on Windows 1/13/2007 2:20 PM Ayende @ Blog
Setting up a Subversion server on Windows

# re: Windows Authentication with Subversion on Windows 5/2/2007 10:39 AM Sebastien Filion
This works for a user that is part of a domain.

But me, i need to used a user groups instead of a simple user.

It looks like that:

[groups]
project-buildmaster = DOMAIN\PROJECT-BUILDMASTER

[/]
* = r
@project-buildmaster = rw

but the problem is that PROJECT-BUILDMASTER is a group, not a user. Then it appears that SVNAcessFile didn't suport adding domain groups.

What do you think about this?


# re: Windows Authentication with Subversion on Windows 5/5/2007 11:20 AM Michael Flanakin
I haven't tried using groups, but I think you're right in the fact that they won't work. The reason is because that's not what comes across the wire. The way groups work is, when you get a request, you have to poll the domain controller, asking if the user is either in a certain group or has a specific set of permissions, which knows how to check groups. This isn't that sophisticated. When the request hits Apache, it only passes the domain and username. I'm sure it'd be possible to support groups, but that would have to be added to the SSPI module.

# Using AD Groups instead of Users 5/7/2007 11:10 AM Boyan
Here is what I did to get groups to work instead of users:

Instead of:
"Require valid-user"
Use:
"Require group DomainName\GroupName"

Also, comment out the access file line:
AuthzSVNAccessFile "D:/Repository/authorization.conf"

This method works fine with the SSPI module I got from here:
http://www.deadbeef.com/index.php/mod_auth_sspi/sspi.html

Now, if it was only possible to disable the user/password prompt. I'll keep digging.

# re: Windows Authentication with Subversion on Windows 5/9/2007 3:25 PM JImboG
I am using APache 2.0.59 with Subversion 1.4.3 and mod_auth_sspi-1.0.3-2.0.55. I am using domain gropus as per AM Boyan's suggestion and keep getting a login dialogue box in IE and Mozilla and can never get my user's to authenticate regadless of the account. Any suggestions?

# re: Windows Authentication with Subversion on Windows 8/7/2007 11:53 AM Gael Marziou
Thanks for this post, still useful 2 years later!

Warning, when you use "SSPIOfferBasic On", non NTLM clients will encode your username and
password in base64 which is almost equivalent to sending your password across the network in the clear.

However it is encrypted locally on your disk using Windows CryptoAPI in %APPDATA%\Subversion\auth\svn.simple file.

# re: Windows Authentication with Subversion on Windows 8/7/2007 12:25 PM Gael Marziou
Just one thing, I found the compiled module at http://www.gknw.net/development/apache/index.html

# re: Using AD Groups instead of Users 5/27/2008 8:28 AM Jury A. Sazonov
Boyan, great thaks for you idea, it's really works!
But, how I can determine read-only or full-access rights for domain groups?

# re: Using AD Groups 5/28/2008 8:40 PM S Huang
Great tip from Boyan. The "Requires group" Apache directive works with AD group name when the SSPI auth module is used.

In my case, I have the directive "SSPIOmitDomain" turned "On", so in the "Requires" directive, I do not need to include the domain name. In addition, the user id sent to subversion does not include the domain name as well. It is much neater.

To further specify read-only or full access to svn folders, you can use the "Limit" directive.

# re: To further specify read-only or full access to svn folders, you can use the "Limit" directive. 5/29/2008 1:22 AM Jury A. Sazonov
S Huang, sorry, but can you write an example here?

A great thanks!

# re: Windows Authentication with Subversion on Windows 8/18/2008 11:11 AM Michal
Guyz,

seems that "require valid-user" works perfectly well, nevertheless I have issues with "require group domain\group"

I am never authenticated for some reason and browser keeps prompting me for password.

Logs says unknown user or bad password.

any ideas ?

cheers,
michal

# re: Windows Authentication with Subversion on Windows 8/29/2008 7:53 AM ASP Net Web Development
Thanks for thorough explanation... great job

Post Feedback

Title:
Name:
Email: (never displayed)
Url:
Comments: 
Please add 2 and 2 and type the answer here: