Singe-Sign-On broken with Apache-2.4 and mod_authnz_sspi on win32 since 1.8.0

[Helmut Wieser]

Singe-Sign-On seems to be broken with Apache-2.4 and mod_authnz_sspi on win32 since 1.8.0.

I use collabnet subversion edge 4.0 on windows 2003 as a server with mod_authnz_sspi. It works fine when authenticating with Firefox, IE and TSVN < 1.8.0. TSVN 1.8.0 prompts for a password, and it works fine when I enter it.
I access my SVN repo via HTTPS, and I realize that neon was deprecated in favor of serf. I couldn't find a way to debug serf, so I'm happy for pointers.

I have two clients running Win7_x64 and TSVN_x64, both members of a domain. One runs TSVN 1.8.0 where the problem appears, the other runs TSVN 1.7.13.24257 and everything is fine there.

I've checked the logs on Apache, but I couldn't find aynthing suspicious.

Authenticating to Apache running on a Linux box with mod_auth_kerb still works fine with Single-Sign-On from both windows boxes. So I guess this problem has to do with SSPI somehow.

------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=3059230

To unsubscribe from this discussion, e-mail: [users-un...@tortoisesvn.tigris.org].

[Bob Archer]

> Singe-Sign-On seems to be broken with Apache-2.4 and mod_authnz_sspi on
> win32 since 1.8.0.
>
> I use collabnet subversion edge 4.0 on windows 2003 as a server with
> mod_authnz_sspi. It works fine when authenticating with Firefox, IE and TSVN <
> 1.8.0. TSVN 1.8.0 prompts for a password, and it works fine when I enter it.
> I access my SVN repo via HTTPS, and I realize that neon was deprecated in
> favor of serf. I couldn't find a way to debug serf, so I'm happy for pointers.
>
> I have two clients running Win7_x64 and TSVN_x64, both members of a
> domain. One runs TSVN 1.8.0 where the problem appears, the other runs TSVN
> 1.7.13.24257 and everything is fine there.
>
> I've checked the logs on Apache, but I couldn't find aynthing suspicious.
>
> Authenticating to Apache running on a Linux box with mod_auth_kerb still
> works fine with Single-Sign-On from both windows boxes. So I guess this
> problem has to do with SSPI somehow.

I think this is a known issue that is supposed to be fixed in 1.8.1. However, I think it occurs when you use SSPIAuth Auto (or something).... if you turn that off, while you still have to provide username/password it should still work. At least, that is my understanding.

BOb

------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=3059279

[Gert Kello]

>> Singe-Sign-On seems to be broken with Apache-2.4 and mod_authnz_sspi on
>> win32 since 1.8.0.
>>
>> I use collabnet subversion edge 4.0 on windows 2003 as a server with
>> mod_authnz_sspi. It works fine when authenticating with Firefox, IE and TSVN <
>> 1.8.0. TSVN 1.8.0 prompts for a password, and it works fine when I enter it.
>> I access my SVN repo via HTTPS, and I realize that neon was deprecated in
>> favor of serf. I couldn't find a way to debug serf, so I'm happy for pointers.
>

> I think this is a known issue that is supposed to be fixed in 1.8.1. However, I think it occurs when you use SSPIAuth Auto (or something).... if you turn that off, while you still have to provide username/password it should still work. At least, that is my understanding.
>

The discussion about the issue in svn users list:
http://svn.haxx.se/users/archive-2013-06/0146.shtml


The discussion about patch is at
http://svn.haxx.se/dev/archive-2013-06/0413.shtml

Gert

------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=3059290

[Helmut Wieser]

That thread is certainly an interesting read!

Just for the record, when I add "SSPIPackage Negotiate" to my Apache config single-sign-on works with TSVN 1.8.0 like it should (using serf) but TSVN < 1.8 (using neon) clients are prompted for username and password. If the credentials are provided it works fine however.

I have not tried using serf with TSVN < 1.8 clients, but I assume it will work with negotiate. I guess I'll wait for TSVN 1.8.1 and see if this is fixed. (Although it's a serf issue, not TSVN.)

------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=3059500

[Helmut Wieser]

Just for the record, this issue has been fixed in TortoiseSVN 1.8.1 (or Subversion 1.8.1, rather) although I couldn't find anything about this in the release notes for either TortoiseSVN 1.8.1 or Subversion 1.8.1.

Thanks!

------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=3061350

[Stefan Küng]

On 26.07.2013 08:09, Helmut Wieser wrote:
> Just for the record, this issue has been fixed in TortoiseSVN 1.8.1
> (or Subversion 1.8.1, rather) although I couldn't find anything about
> this in the release notes for either TortoiseSVN 1.8.1 or Subversion
> 1.8.1.

It's fixed in serf 1.3.0 which TSVN links to.

Stefan


--
___
oo // \\ "De Chelonian Mobile"
(_,\/ \_/ \ TortoiseSVN
\ \_/_\_/> The coolest interface to (Sub)version control
/_/ \_\ http://tortoisesvn.net

------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=3061386