http-auth-type negotiate broken after upgrade
61 views
Skip to first unread message
Graeme Hodgson
Jul 20, 2012, 7:27:05 AM7/20/12
to us...@tortoisesvn.tigris.org
From a customer:
"I'm working on both the upgrade from 1.6 to 1.7 and passing through Windows credentials so our developers won't have to manually enter a username/password. On TortoiseSVN 1.6.16, I found the registry setting to enable negotiate as an http-auth-type even when connecting over unencrypted http (specifically, adding a group under HKCU\Software\Tigris.org\Subversion\servers and explicitly allowing negotiate for it). When I upgraded to Tortoise 1.7.4, however, this stopped working.
Using WireShark, I saw that the initial response from the server would be exactly the same (401 Unauthorized), but where 1.6 would immediately send back a Authorization: Negotiate header, 1.7 never seems to try that method. Eventually, I found that I could work around this by specifying serf as the http-library, but I figured (1) we'd like to stay as close to stock TortoiseSVN as possible, for ease of maintenance, and (2) you probably want to fix the interaction with neon regardless.
Both TortoiseSVN clients were standard downloads; the only special configuration (beyond the aforementioned server grouping) is to specify a different diff tool and some global ignores. I saw that both clients were using neon 0.29.6; 1.6 is using serf 0.7.2, while 1.7 is using serf 1.0.1. Any ideas what's going on there, or what it would take to fix it so we could use the default library?"
Any ideas would be greatly appreciated.
TIA.
--
Regards,
Graeme Hodgson
Technical Support Engineer
WANdisco plc.
Office: +44.(0)114.303 9985 X733
Cell: +44.(0).798.218.1852
Fax: +1.866.247.7584
http://www.wandisco.com
uberSVN: Subversion Made Easy
http://www.uberSVN.com
Everything you need to deploy Subversion in the Enterprise
http://www.wandisco.com/subversion
Subversion community
http://www.svnforum.org
Read our blogs
http://blogs.wandisco.com/
Follow us on Twitter
http://www.twitter.com/wandisco
THIS MESSAGE AND ANY ATTACHMENTS ARE CONFIDENTIAL, PROPRIETARY, AND
MAY BE PRIVILEGED. If this message was misdirected, WANdisco plc
and its subsidiaries, ("WANdisco") does not waive any confidentiality
or privilege. If you are not the intended recipient, please notify us
immediately and destroy the message without disclosing its contents to
anyone. Any distribution, use or copying of this e-mail or the
information it contains by other than an intended recipient is
unauthorized. The views and opinions expressed in this e-mail message
are the author's own and may not reflect the views and opinions of
WANdisco, unless the author is authorized by WANdisco to express such
views or opinions on its behalf. All email sent to or from this
address is subject to electronic storage and review by WANdisco.
Although WANdisco operates anti-virus programs, it does not accept
responsibility for any damage whatsoever caused by viruses being
passed.
"I'm working on both the upgrade from 1.6 to 1.7 and passing through Windows credentials so our developers won't have to manually enter a username/password. On TortoiseSVN 1.6.16, I found the registry setting to enable negotiate as an http-auth-type even when connecting over unencrypted http (specifically, adding a group under HKCU\Software\Tigris.org\Subversion\servers and explicitly allowing negotiate for it). When I upgraded to Tortoise 1.7.4, however, this stopped working.
Using WireShark, I saw that the initial response from the server would be exactly the same (401 Unauthorized), but where 1.6 would immediately send back a Authorization: Negotiate header, 1.7 never seems to try that method. Eventually, I found that I could work around this by specifying serf as the http-library, but I figured (1) we'd like to stay as close to stock TortoiseSVN as possible, for ease of maintenance, and (2) you probably want to fix the interaction with neon regardless.
Both TortoiseSVN clients were standard downloads; the only special configuration (beyond the aforementioned server grouping) is to specify a different diff tool and some global ignores. I saw that both clients were using neon 0.29.6; 1.6 is using serf 0.7.2, while 1.7 is using serf 1.0.1. Any ideas what's going on there, or what it would take to fix it so we could use the default library?"
Any ideas would be greatly appreciated.
TIA.
--
Regards,
Graeme Hodgson
Technical Support Engineer
WANdisco plc.
Office: +44.(0)114.303 9985 X733
Cell: +44.(0).798.218.1852
Fax: +1.866.247.7584
http://www.wandisco.com
uberSVN: Subversion Made Easy
http://www.uberSVN.com
Everything you need to deploy Subversion in the Enterprise
http://www.wandisco.com/subversion
Subversion community
http://www.svnforum.org
Read our blogs
http://blogs.wandisco.com/
Follow us on Twitter
http://www.twitter.com/wandisco
THIS MESSAGE AND ANY ATTACHMENTS ARE CONFIDENTIAL, PROPRIETARY, AND
MAY BE PRIVILEGED. If this message was misdirected, WANdisco plc
and its subsidiaries, ("WANdisco") does not waive any confidentiality
or privilege. If you are not the intended recipient, please notify us
immediately and destroy the message without disclosing its contents to
anyone. Any distribution, use or copying of this e-mail or the
information it contains by other than an intended recipient is
unauthorized. The views and opinions expressed in this e-mail message
are the author's own and may not reflect the views and opinions of
WANdisco, unless the author is authorized by WANdisco to express such
views or opinions on its behalf. All email sent to or from this
address is subject to electronic storage and review by WANdisco.
Although WANdisco operates anti-virus programs, it does not accept
responsibility for any damage whatsoever caused by viruses being
passed.
Stefan Küng
Jul 20, 2012, 2:50:20 PM7/20/12
to us...@tortoisesvn.tigris.org, Graeme Hodgson
simply does not use that authentication if used over http, only if https
is used.
The reason is simple: doing that over http is a severe security risk,
and MS has disabled this a long time ago. You can work around the MS
restriction by having Apache connect to the domain controller over an
encrypted channel though, but that's not recommended (I guess that's
what they are doing).
The only way to really fix this is to use https instead of plain http.
Any other way would be a very bad hack, and that's why I won't mention
any of those.
Stefan
btw: your email signature is almost as long as the content of this mail.
Please turn off the legal disclaimer, because it's completely useless.
And then shorten the rest of your signature: it's enough to have a link
to the homepage. You can link to the other pages from your homepage. We
don't need a link list of all your pages in your emails.
As a rule of thumb: signatures should not exceed four lines.
> Regards,
>
> Graeme Hodgson
> Technical Support Engineer
> WANdisco plc.
> Office: +44.(0)114.303 9985 X733
> Cell: +44.(0).798.218.1852
it here as well. Also: if you specify both, some people will always use
the cell number, and then when your on your office line, your cell
rings. Very annoying.
> Fax: +1.866.247.7584
Do people really still use fax machines? If they do, send them a
postcard with that number on it: they most likely don't know what email
and the internet is, so you can omit that number from your signature as
well.
>
> http://www.wandisco.com
that's ok.
that's on your homepage. No need to add this here.
Really? A subpage of your homepage you linked from above? Do you really
think that people won't find that page from the front page?
If you say yes, then that means you have to redesign your homepage, not
include that in your signature.
>
> Subversion community
> http://www.svnforum.org
Again, linked from the homepage.
this as well.
and again: put it on your homepage. That's what a homepage is for, not
an email, and especially not one you send to our mailing list.
> THIS MESSAGE AND ANY ATTACHMENTS ARE CONFIDENTIAL, PROPRIETARY, AND
> MAY BE PRIVILEGED. If this message was misdirected, WANdisco plc
> and its subsidiaries, ("WANdisco") does not waive any confidentiality
> or privilege. If you are not the intended recipient, please notify us
What's sent to my inbox is per definition (and also by law in our
country) mine and I can do with it as I please.
Adding some legal nonsense won't help.
> immediately and destroy the message without disclosing its contents to
or interesting, anyone who receives it will do that.
If you find your very secret message posted all over the internet, I'm
sure it can't be because someone didn't follow that order.
> anyone. Any distribution, use or copying of this e-mail or the
> information it contains by other than an intended recipient is
> unauthorized. The views and opinions expressed in this e-mail message
> are the author's own and may not reflect the views and opinions of
> WANdisco, unless the author is authorized by WANdisco to express such
> views or opinions on its behalf. All email sent to or from this
> address is subject to electronic storage and review by WANdisco.
a lot of countries. Reading other peoples emails (if they weren't sent
to you) is illegal in my country and all countries that surround us.
> Although WANdisco operates anti-virus programs, it does not accept
> responsibility for any damage whatsoever caused by viruses being
> passed.
then it doesn't matter whether you accept it or not.
You see: the whole legalese mumbo jumbo here is completely irrelevant
and just annoying.
Tell Richard and your IT staff to have this nonsense removed.
Stefan
--
___
oo // \\ "De Chelonian Mobile"
(_,\/ \_/ \ TortoiseSVN
\ \_/_\_/> The coolest Interface to (Sub)Version Control
/_/ \_\ http://tortoisesvn.net
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2991995
To unsubscribe from this discussion, e-mail: [users-un...@tortoisesvn.tigris.org].
Reply all
Reply to author
Forward
0 new messages