In SVN how do I override automatic Windows domain authentication

Question

I have a build server that is not part of a Windows domain trying to connect to a VisualSVN server running HTTPS via apache with domain login via Active Directory. When I try to connect to the server using specifying a domain username I observe a client hang:

svn ls --username=domainuser https://subversion.mydomain/svn/repo1/

The logs on the server show Windows authentication failures using the login-name for the build-machine, and the build-machine's hostname in the Domain name field. The username provided on the command-line is completely ignored.

SVN Client: TortoiseSVN commandline tools: svn, version 1.8.1 (r1503906)

On a separate machine (on the domain) - I found that the --username would not be ignored if I used the cygwin svn instead.

Answer 1

The solution I found was to disable the http-auth-type 'negotiate'. This prevents Windows credentials being automatically shared.

I verified this using a command-line override, it asked for password for the user on the command-line:

svn ls --username=domainuser --config-option servers:global:http-auth-types=basic;digest https://subversion.mydomain/svn/repo1/
Authentication realm: <https://subversion.mydomain/svn/repo1/> VisualSVN Server
Password for 'domainuser': 

(Note for Cygwin users: If you use SVN under Windows via Cygwin then you will need to add quotes to your command like this: $ svn ls --username=domainuser --config-option "servers:global:http-auth-types=basic;digest" https://subversion.mydomain/svn/repo1/ -- Otherwise the semicolon will be treated as a command delimiter.)

To configure this more permanently you can make a servers config file entry for all matching servers. For Win7 that's C:\Users\<User>\AppData\Roaming\Subversion\servers.

[groups]
mydomain = *.mydomain

[mydomain]
http-auth-types=basic;digest

Answer 2

Instead of disabling negotiate in client's config, I'd suggest using Windows Credential Manager to store the other account's credentials for Single Sign-On.

The following instruction shows how to put other domain credentials to access VisualSVN Server into Windows Credential Manager:

1. Start | Control Panel | Credential Manager,

2. Click 'Add a Windows Credential',

3. As 'Internet or network address' enter the FQDN of VisualSVN Server's machine,

4. As 'Username' enter the <DOMAIN>\<username> of user account that exists in domain and has access rights to VisualSVN Server,

5. Complete the password field and click OK,

6. Verify that you can authenticate to VisualSVN Server under the selected user account after completing the above steps.