Michael Flanakin's Web Log

Comments and complaints on software and technology in general
  Home  |   Contact  |   Syndication    |   Login
  159 Posts | 18 Stories | 123 Comments | 497 Trackbacks

News

This weblog is no longer being maintained. For the latest, check out www.michaelflanakin.com!

Article Categories

Archives

Post Categories

Image Galleries

Miscellaneous

Windows Authentication with Subversion on Windows

Man, oh, man! Setting this thing up was a pain in the arse. It took up most of my day! Anyway, hopefully, I can save someone else the heardache.

Here's the setup: client - Windows XP, server - Windows Server 2003 running Subversion 1.2.1 and Apache 2.0.54. Within the Apache httpd.conf file, the following modules must be setup in order: 

# Windows authentication module
LoadModule sspi_auth_module   modules/mod_auth_sspi.so

# subversion modules
LoadModule dav_svn_module "C:/Program Files/Subversion/bin/mod_dav_svn.so"
LoadModule authz_svn_module "C:/Program Files/Subversion/bin/mod_authz_svn.so"
Next, I had to setup my Subversion location (later in the same file): 
<Location />
    DAV svn
    SVNParentPath "D:/Repository/"
    
    # authentication
    AuthName "Subversion Authentication"
    AuthType SSPI
    SSPIAuth On
    SSPIAuthoritative On
    SSPIDomain DOMAIN
    SSPIOfferBasic On
    Require valid-user
    
    # authorization
    AuthzSVNAccessFile "D:/Repository/authorization.conf"
</Location>
Finally, I had to setup a Subversion access file. With this file, I kind of took the easy way out. I only added developers with write access to the root and setup any other user with read-only to the root. I didn't feel like messing with it much after that. 
[groups]
dashboard-dev = DOMAIN\FLANAKINM, flanakinm

[/]
* = r
@dashboard-dev = rw
Here's the important part to remember: you have to use two login names - one with and one without the domain. The reason for this, as I understand it, is because Subversion requires the former and the web browser requires the latter (that may be backwards).

Now, let me dig into this a little bit. The aforementioned modules are for Windows authentication, Subversion WebDAV, and Subversion authorization, respectively. That's pretty simple - no real options there. You may notice that I chose to reference the Subversion modules from the Subversion directory. I believe most people move them to the Apache directory instead. Whatever works for you. I chose this method because, if they're ever updated, that's where they'd be installed after upgrading Subversion. Also of note, I used the mod_auth_sspi.so module from the TortoiseSVN website (link provided later). There's supposed to be another one floating around with more features. The links I found to that one are all dead, so if anyone knows how to get it, let me know, please.

Next, let's look at the location section. I'm only using Apache for Subversion (on port 9999), so I just setup the location to be the root (hence the "/"). The DAV svn is required for WebDAV and the SVNParentPath specifies that the parent directory of my repositories is located at "D:\Repository" (I used forward slashes (/), but I'm pretty sure you can use back slashes (\), too). Now, into the part that can be a pain... AuthName doesn't matter, as far as I can tell; so use whatever makes sense (hell, you might even be able to omit it). AuthType SSPI tells Apache to use the SSPI module for Windows authentication. SSPIAuth On and SSPIAuthoritative On turn that authentication on. SSPIDomain specifies the domain you're using - I believe this is optional. SSPIOfferBasic On tells Apache to provide basic authentication for non-IE connectors. Require valid-user tells Apache that all users must be authenticated in order to gain access to the location. Finally, the AuthzSVNAccessFile specifies the text file which holds the authorization rules.

I'm not going to get into this file too much. As I mentioned before, all you really need to know is that you have to have two entries per user: one with and one without the domain name.

For more information on the following areas, check out the respective links. Best of luck to you! (...you may need it)

mod_auth_sspi.so
http://tortoisesvn.tigris.org/mod_auth_sspi.zip
TortoiseSVN FAQ: Windows Authentication on Linux (just in case you're bored)
http://tortoisesvn.berlios.de/?q=node/48
TortoiseSVN FAQ: Windows Authentication on Windows
http://tortoisesvn.berlios.de/?q=node/137
TortoiseSVN Help: Windows Authentication with a Windows Domain
http://tortoisesvn.sourceforge.net/docs/release/TortoiseSVN_en/ch03.html#tsvn-serversetup-apache-5
Windows Domain Authentication (c/o Martin Tomes)
http://www.subversionary.org/sspidomainauth
Subversion Mail Archive: Getting NT Authorization Right with mod_auth_sspi.so
http://svn.haxx.se/users/archive-2004-07/subject.shtml#580
Mere-Moments Guide to installing a Subversion server on Windows (c/o Joe White)
http://excastle.com/blog/archive/2005/05/31/1048.aspx?Pending=true
Ultimately, the link that helped me the most was the Subversion users mail archive. I linked to the last post (they're listed latest to earliest), so review those as needed.

posted on Wednesday, August 31, 2005 10:56 AM

Feedback

# re: Windows Authentication with Subversion on Windows 9/1/2005 5:51 AM John Watson
Bless you!!! I am just about to embark on this very same configuration.

# re: Windows Authentication with Subversion on Windows 9/1/2005 7:00 AM Michael Flanakin
Best of luck. Feel free to email me or post any questions/comments.


# re: Windows Authentication with Subversion on Windows 9/27/2005 1:30 AM Error
Hi, i have a problem with apache. If i use your code in httpd.conf, apache not start. The error is in line DAV svn, what can it be?

# re: Windows Authentication with Subversion on Windows 9/27/2005 3:27 AM Michael Flanakin
Do you have the mod_dav_svn.so mapped correctly? If so, check on the mod_dav.so module - I think that's the right name. mod_dav needs to be before mod_dav_svn. My guess is that's where your problem is.

# re: Windows Authentication with Subversion on Windows 9/27/2005 11:25 PM Jojje
I had problems with mod_dav_svn when I was running an old version of Apache, 2.0.52 with Subversion 1.2.3. The problem was solved when I upgraded to Apache 2.0.54.

# Securing SubVersion Repository configured to use Windows Authentication 12/1/2005 3:02 AM Khurram Aziz
I recently needed to secure the SubVersion repository. I am using SubVersion with Apache on Windows;...

# re: Windows Authentication with Subversion on Windows 1/6/2006 1:56 PM MattBrown
Using your post, I was able to get 99% of the way there. One thing you might want to mention is that the error log shows the user name that is being given to Apache, as well as the string that should be in brackets in the auth file. My auth file has to look like the following to work:


[groups]
grp = DOMAIN\user, user

[repo:/]
grp = rw



The error I was getting is below and is what ultimately led me to try changing the repository string.

Access denied: 'user' GET repo:/

# re: Windows Authentication with Subversion on Windows 2/6/2006 5:53 AM zhenya_k
Use as shown above:
[groups]
grp = DOMAIN\user, user

[repo:/]
@grp = rw


# re: Windows Authentication with Subversion on Windows 3/3/2006 1:30 AM PixelJuice
I've set this up for trac and Subversion, I can authenticate alright using IE / Firefox. However, even when I'm logged onto the domain on the LAN I get prompted for password. I tried setting SSPIOfferBasic Off and SSPIOfferSSPI On and vice versa - still get the annoying prompt on IE (but if I put in the correct username/password it does authenticate properly). Any suggestions??

# re: Windows Authentication with Subversion on Windows 3/3/2006 3:29 AM Michael Flanakin
This is always how it's worked. I think TortoiseSVN can be setup to work automatically, but I'm not sure how to set that up.

# re: Windows Authentication with Subversion on Windows 3/23/2006 9:26 PM Corey
I use TortoiseSVN1.3.2 to be the client. Can it use Windows Authentication and how?

# re: Windows Authentication with Subversion on Windows 3/24/2006 7:41 AM Michael Flanakin
I thought I saw something about using Windows Authentication with TSVN, but when I started using 1.3, I was always asked for my user credentials. I haven't really looked into it again since all I had to do was type my username/password in for my LAN account. I figured I was just mistaken. There's probably some setting for it that I haven't noticed - I haven't really looked.

# Subversion over Apache Httpd over SSL with Basic Auth on Windows 2003 Server box... 3/31/2006 2:13 AM Rexiology::Work
&nbsp;
Ok, after a full installation of Subversion on my server, here is the complete installation steps...

# Subversion over Apache Httpd over SSL with Basic Auth on Windows 2003 Server box... 3/31/2006 2:15 AM Rexiology...
&nbsp;
crosspost from http://rextang.net/blogs/work/
Ok, after a full installation of Subversion on...

# re: Windows Authentication with Subversion on Windows 8/18/2006 10:47 AM Mark Holzapfel
Has anyone done SSPI this with a Windows group in place of a user? It woudl make administration simpler...

# re: Windows Authentication with Subversion on Windows 10/17/2006 12:26 PM lsabug
I would also like to know if AD groups can be used with sspi. Also, is there a recent binary (so I don't have to compile-I keep getting an error message when i run make) so I don't have to compile mod_auth_sspi?
Thanks.

# re: Windows Authentication with Subversion on Windows 5/2/2007 10:39 AM Sebastien Filion
This works for a user that is part of a domain.

But me, i need to used a user groups instead of a simple user.

It looks like that:

[groups]
project-buildmaster = DOMAIN\PROJECT-BUILDMASTER

[/]
* = r
@project-buildmaster = rw

but the problem is that PROJECT-BUILDMASTER is a group, not a user. Then it appears that SVNAcessFile didn't suport adding domain groups.

What do you think about this?


# re: Windows Authentication with Subversion on Windows 5/5/2007 11:20 AM Michael Flanakin
I haven't tried using groups, but I think you're right in the fact that they won't work. The reason is because that's not what comes across the wire. The way groups work is, when you get a request, you have to poll the domain controller, asking if the user is either in a certain group or has a specific set of permissions, which knows how to check groups. This isn't that sophisticated. When the request hits Apache, it only passes the domain and username. I'm sure it'd be possible to support groups, but that would have to be added to the SSPI module.

# Using AD Groups instead of Users 5/7/2007 11:10 AM Boyan
Here is what I did to get groups to work instead of users:

Instead of:
"Require valid-user"
Use:
"Require group DomainName\GroupName"

Also, comment out the access file line:
AuthzSVNAccessFile "D:/Repository/authorization.conf"

This method works fine with the SSPI module I got from here:
http://www.deadbeef.com/index.php/mod_auth_sspi/sspi.html

Now, if it was only possible to disable the user/password prompt. I'll keep digging.

# re: Windows Authentication with Subversion on Windows 5/9/2007 3:25 PM JImboG
I am using APache 2.0.59 with Subversion 1.4.3 and mod_auth_sspi-1.0.3-2.0.55. I am using domain gropus as per AM Boyan's suggestion and keep getting a login dialogue box in IE and Mozilla and can never get my user's to authenticate regadless of the account. Any suggestions?

# re: Windows Authentication with Subversion on Windows 8/7/2007 11:53 AM Gael Marziou
Thanks for this post, still useful 2 years later!

Warning, when you use "SSPIOfferBasic On", non NTLM clients will encode your username and
password in base64 which is almost equivalent to sending your password across the network in the clear.

However it is encrypted locally on your disk using Windows CryptoAPI in %APPDATA%\Subversion\auth\svn.simple file.

# re: Windows Authentication with Subversion on Windows 8/7/2007 12:25 PM Gael Marziou
Just one thing, I found the compiled module at http://www.gknw.net/development/apache/index.html

# re: Using AD Groups instead of Users 5/27/2008 8:28 AM Jury A. Sazonov
Boyan, great thaks for you idea, it's really works!
But, how I can determine read-only or full-access rights for domain groups?

# re: Using AD Groups 5/28/2008 8:40 PM S Huang
Great tip from Boyan. The "Requires group" Apache directive works with AD group name when the SSPI auth module is used.

In my case, I have the directive "SSPIOmitDomain" turned "On", so in the "Requires" directive, I do not need to include the domain name. In addition, the user id sent to subversion does not include the domain name as well. It is much neater.

To further specify read-only or full access to svn folders, you can use the "Limit" directive.

# re: To further specify read-only or full access to svn folders, you can use the "Limit" directive. 5/29/2008 1:22 AM Jury A. Sazonov
S Huang, sorry, but can you write an example here?

A great thanks!

# re: Windows Authentication with Subversion on Windows 8/18/2008 11:11 AM Michal
Guyz,

seems that "require valid-user" works perfectly well, nevertheless I have issues with "require group domain\group"

I am never authenticated for some reason and browser keeps prompting me for password.

Logs says unknown user or bad password.

any ideas ?

cheers,
michal

# re: Windows Authentication with Subversion on Windows 8/29/2008 7:53 AM ASP Net Web Development
Thanks for thorough explanation... great job

# re: Windows Authentication with Subversion on Windows 11/12/2008 11:36 AM Patrick
This thread has been quiet for a little while, but in case someone else came looking for the solution to Michal's problem. I ran into it and found a solution.

Most places say to use:
require group DOMAINNAME\groupname

However since \ is considered a special delimiting character (ie \n for newline) I had to use a \\ to delimit domain and user/group.

Require group DOMAIN\\GroupName

I don't know if should matter since i have SSPIUsernameCase lower on, but i also followed the same casing in the line as is in the AD


# re: Windows Authentication with Subversion on Windows 1/8/2009 10:57 AM Greg Sheremeta
Thanks for this very useful post!

I was getting 403 and I found that adding
AllowOverride None
Order allow,deny
Allow from all
after
<Location /svn>
DAV svn
SVNParentPath "D:/svn"

fixed that. In case anyone else hits that.

# re: Windows Authentication with Subversion on Windows 1/26/2009 2:17 PM Ron
Just an FYI. I had trouble finding a way to use both local and Windows authentication.

For Windows Authentication, I performed the tasks shown in this post. But first, I copied what was already there and pasted it into the httpd.conf file

Then, I changed the /svn in the <Location> tag to /svn_local. Then, if someone needed to use local authentication, they would use svn_local in their URL and the Subversion server would use the local user id and password stored locally.

Hope this helps.

# re: Windows Authentication with Subversion on Windows 4/29/2009 3:34 PM Nitin Dixit
Hi ,
very gud post. Can any one share how mod_auth_sspi authenticate an user? As in conf file i am not using ldap.
How it works ?

Thanks
Nitin Dixit

Post Feedback

Title:
Name:
Email: (never displayed)
Url:
Comments: