Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Powershell, svn, and authentication

I can remote desktop into a given machine and run svn, without giving authentication information, and it works; my AD authentication allows me access to the repository I want.

I can use Powershell to connect to the machine and execute svn commands, as well. However, when I do, I get "access forbidden". [Environment]::UserName appears with the username I expected (my AD username) when run from the script that's being remotely executed.

What am I missing to make this work?

Some code:

$Session = New-PSSession -ComputerName $computerName;

if (-Not ($Session)) {
    Write-Host "Did not create session!";
    Return;
}

Invoke-Command -Session $Session -FilePath 'switchAllRepositories.ps1' -ArgumentList $branchName;

Remove-PSSession $Session;

and in switchAllRepositories, I have a parameter:

Param(
  [string]$branchURL
)

a series of calls like:

If(Test-Path "C:\webfiles\repositoryname") {
    Write-Host "Switching repositoryname"
    SwitchRepo "repositoryname" ($branchURL) "C:\webfiles\repositoryname";
}

which call:

Function SwitchRepo ($repoName, $branchPath, $workingCopy)
{
    $to = ("https://[url]/svn/" + $repoName + $branchPath);
    Write-Host "to $to";

    #debug
    $user = [Environment]::UserName
    Write-Host "as $user";

    $exe = "C:\Program Files\TortoiseSVN\bin\svn.exe";
    &$exe switch "$to" "$WorkingCopy" --username [redacted] --password [redacted] --no-auth-cache --non-interactive --trust-server-cert

    if ($process.ExitCode -ne 0) {
        #$wshell = New-Object -ComObject Wscript.Shell
        #$wshell.Popup("Error switching " + $repoName,0,"Done",0x1)
        Write-Host "Error detected!"
    }
}

The exact error is:

svn: E175013: Unable to connect to a repository at URL '[snipped]' + CategoryInfo : NotSpecified: (svn: E175013: U...eases/20150620':String) [], RemoteException + FullyQualifiedErrorId : NativeCommandError svn: E175013: Access to '[snipped]' forbidden

like image 761
Yamikuronue Avatar asked Jun 11 '15 12:06

Yamikuronue


1 Answers

It would help to see the code you're using, but if it's what I suspect then you're using PowerShell remoting with either Enter-PSSession or Invoke-Command.

Since those will default to using kerberos authentication, and the SVN server is probably on a 3rd machine, you're likely running into the kerberos double-hop authentication issue.

Simply put, you can't remote into machine B from machine A, then from within that session try to access machine C using the same authentication context.

You may be able to workaround this in a few ways: CredSSP is often brought up in these but I find it's complicated and typically a re-thinking of the workflow turns out better.

So for example, you might be able to explicitly specify credentials for the SVN commands.

Or, you can create your own endpoint on the server that uses a RunAs user. Then all the commands will be from Machine B as a specific user:

  • https://stackoverflow.com/a/30061125/3905079
  • https://stackoverflow.com/a/26077172/3905079
like image 105
briantist Avatar answered Nov 15 '22 01:11

briantist