Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

In SVN how do I override automatic Windows domain authentication

I have a build server that is not part of a Windows domain trying to connect to a VisualSVN server running HTTPS via apache with domain login via Active Directory. When I try to connect to the server using specifying a domain username I observe a client hang:

svn ls --username=domainuser https://subversion.mydomain/svn/repo1/

The logs on the server show Windows authentication failures using the login-name for the build-machine, and the build-machine's hostname in the Domain name field. The username provided on the command-line is completely ignored.

SVN Client: TortoiseSVN commandline tools: svn, version 1.8.1 (r1503906)

On a separate machine (on the domain) - I found that the --username would not be ignored if I used the cygwin svn instead.

like image 304
Greg Avatar asked Nov 05 '13 23:11

Greg


People also ask

What is SVN authentication?

Windows Authentication is a key feature of VisualSVN Server. This feature is designed for Active Directory domain environments and allows users to access VisualSVN Server with their Windows credentials.


2 Answers

The solution I found was to disable the http-auth-type 'negotiate'. This prevents Windows credentials being automatically shared.

I verified this using a command-line override, it asked for password for the user on the command-line:

svn ls --username=domainuser --config-option servers:global:http-auth-types=basic;digest https://subversion.mydomain/svn/repo1/
Authentication realm: <https://subversion.mydomain/svn/repo1/> VisualSVN Server
Password for 'domainuser': 

(Note for Cygwin users: If you use SVN under Windows via Cygwin then you will need to add quotes to your command like this: $ svn ls --username=domainuser --config-option "servers:global:http-auth-types=basic;digest" https://subversion.mydomain/svn/repo1/ -- Otherwise the semicolon will be treated as a command delimiter.)

To configure this more permanently you can make a servers config file entry for all matching servers. For Win7 that's C:\Users\<User>\AppData\Roaming\Subversion\servers.

[groups]
mydomain = *.mydomain

[mydomain]
http-auth-types=basic;digest
like image 175
Greg Avatar answered Sep 20 '22 10:09

Greg


Instead of disabling negotiate in client's config, I'd suggest using Windows Credential Manager to store the other account's credentials for Single Sign-On.

The following instruction shows how to put other domain credentials to access VisualSVN Server into Windows Credential Manager:

  1. Start | Control Panel | Credential Manager,

  2. Click 'Add a Windows Credential',

  3. As 'Internet or network address' enter the FQDN of VisualSVN Server's machine,

  4. As 'Username' enter the <DOMAIN>\<username> of user account that exists in domain and has access rights to VisualSVN Server,

  5. Complete the password field and click OK,

  6. Verify that you can authenticate to VisualSVN Server under the selected user account after completing the above steps.

like image 26
bahrep Avatar answered Sep 21 '22 10:09

bahrep