Is Supported Single Sign On (SSO) on Windows?
Petr Kuzel
does Tortoise SVN client 1.6.11 support Single Sign On (SSO) on Windows (7 64bit), please? If yes what conditions must be met, please?
Thank you ahead
Cc.
Context: I observed svnserve /var/log/messages for svnserve entries and there is always one authorization request with anonymous@hostname before first user initiated request. Instead I'm kind of expecting that the very first request would be forward of the current Windows credentials taken from Local Security Authority (LSA Server Service). I'm configuring svnserve side to use SASL and forward to Windows hosted DS (Active Directory).
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2685107
To unsubscribe from this discussion, e-mail: [users-un...@tortoisesvn.tigris.org].
ml-to...@kuszelas.eu
stops kerberos auth from working. Newer neon libraries contain the fix, so
hopefully one of upcoming Tortoise releases should start working again.
> Context: I observed svnserve /var/log/messages for svnserve entries and there is always one authorization request with anonymous@hostname before first user initiated request. Instead I'm kind of expecting that the very first request would be forward of the current Windows credentials taken from Local Security Authority (LSA Server Service). I'm configuring svnserve side to use SASL and forward to Windows hosted DS (Active Directory).
That is how the problem manifests itself, first request come with Active
Directory credentials ( visibile as lo...@DOMAIN.COM ), but subsequent ones
loose the context.
With old neon libraries this used to work, because every request created
new context.
best regards, Dariusz Pietrzak
--
Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9
Total Existance Failure
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2685134
Petr Kuzel
thank you for the prompt reply. I tried to downgrade to TSVN 1.6.6 but it has no observable positive effect.
Unfortunately, regarding context, I realized that I certainly lack some knowledge. I can imagine that TSVN client initiates SASL negotiation with server side svnserve (SASL configured, it puts on a negotiation table capabilities of the registered SASL providers). I miss the next step, what should be negotiation outcome in case of desired Single Sign On (SSO)? Who is reponsible for contacing the Local Security Authority (LSA Server Service)?
Speculation #1: a SASL provider on the server side => my server side configuration problem because I have not found Cyrus SASL provider for Local Security Authority (LSA Server Service).
Speculation #2: TSVN client (1.6.6) but in this case the client has probably some (unknown for me) specific expectations on the server side SASL provider capabilities.
As usually, reality might be far from my speculations.
Regards
Cc.
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2685311
Petr Kuzel
> > Context: I observed svnserve /var/log/messages for svnserve entries and there is always one authorization request with anonymous@hostname before first user initiated request. Instead I'm kind of expecting that
[snip]
> That is how the problem manifests itself, first request come with Active
> Directory credentials ( visibile as login at DOMAIN dot COM ), but subsequent ones
> loose the context.
In my case the extra authorization request with anonymous@hostname was caused by my configuration fault. At server/svnserve side the default mechanics were advertised (these include ANONYMOUS).
Cc.
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2685399
Petr Kuzel
> > does Tortoise SVN client 1.6.11 support Single Sign On (SSO) on Windows (7 64bit), please? If yes what conditions must be met, please?
> TortoiseSVN 1.6.7 and higher come with a flaw in their neon library that
> stops kerberos auth from working. Newer neon libraries contain the fix, so
> hopefully one of upcoming Tortoise releases should start working again.
Interestingly enough TortoiseSVN client for the svn protocol (svnserve on the server) seems to support following SASL mechanics only:
•ANONYMOUS
•CRAM-MD5
•PLAIN
•DIGEST-MD5
•LOGIN
•NTLM
--http://tortoisesvn.tigris.org/tsvn_1.5_releasenotes.html#cyrus-sasl
I have not found any update on TortoiseSVN client SASL capabilities in earlier release notes. In 1.6.6 changelog there is:
Version 1.5.3
- CHG: paths in error messages are not truncated to 80 chars anymore. (Stefan)
- CHG: enabled rc4 encryption for the sasl dlls. (Stefan)
- CHG: linked against neon 0.28.3
-- C:\Program Files\TortoiseSVN\Changelog.txt
Microsoft's materials on Single Sign On (SSO):
In an intranet, Kerberos version 5 protocol implementations on the Windows platform offer the user SSO because of the basic characteristics of the authentication protocol and the specific features of the way the protocol is implemented in Windows client and server operating systems.
-- http://technet.microsoft.com/en-us/library/cc162924.aspx
I have not found similar claim for other protocol implementations.
To sum up, I do not see the Single Sign On (SSO) requirements satisfied because TortoiseSVN client does not provide GSSAPI (Kerberos 5, MIT implementation) mechanics (for the svn protocol).
Do you use some custom TortoiseSVN client build or have been the GSSAPI (Kerberos 5, MIT implementation)mechanics support for the svn protocol forgotten to be announced? (and become buggy in 1.6.7-(at time of writting)1.6.11)
Thank you ahead
Cc.
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2685851
ml-to...@kuszelas.eu
much more widely used http/https, where I can confirm that older
TortoiseSVN clients work beautifully against kerberized repositories.
regards, Dariusz Pietrzak
--
Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9
Total Existance Failure
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2685902
Stefan Küng
> Hi Dariusz,
>
>>> does Tortoise SVN client 1.6.11 support Single Sign On (SSO) on Windows (7 64bit), please? If yes what conditions must be met, please?
>> TortoiseSVN 1.6.7 and higher come with a flaw in their neon library that
>> stops kerberos auth from working. Newer neon libraries contain the fix, so
>> hopefully one of upcoming Tortoise releases should start working again.
>
> Interestingly enough TortoiseSVN client for the svn protocol (svnserve on the server) seems to support following SASL mechanics only:
>
> •ANONYMOUS
> •CRAM-MD5
> •PLAIN
> •DIGEST-MD5
> •LOGIN
> •NTLM
>
> --http://tortoisesvn.tigris.org/tsvn_1.5_releasenotes.html#cyrus-sasl
The NTLM mechanism is the one you want: it supports SSO on Windows if
you're part of a domain.
Stefan
--
___
oo // \\ "De Chelonian Mobile"
(_,\/ \_/ \ TortoiseSVN
\ \_/_\_/> The coolest Interface to (Sub)Version Control
/_/ \_\ http://tortoisesvn.net
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2686088
Petr Kuzel
> My bad, I haven't noticed that the request for the svn protocol, and not
> much more widely used http/https, where I can confirm that older
> TortoiseSVN clients work beautifully against kerberized repositories.
Thank you for the clarification.
I could have derived from the fact that you referred the Neon (HTTP and WebDAV client) libraries.
Regards
Cc.
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2686435
Petr Kuzel
> > Interestingly enough TortoiseSVN client for the svn protocol (svnserve on the server) seems to support following SASL mechanics only:
> >
> > •ANONYMOUS
> > •CRAM-MD5
> > •PLAIN
> > •DIGEST-MD5
> > •LOGIN
> > •NTLM
> >
> > --http://tortoisesvn.tigris.org/tsvn_1.5_releasenotes.html#cyrus-sasl
>
> The NTLM mechanism is the one you want: it supports SSO on Windows if
> you're part of a domain.
I my case the svnserve server is configured for the NTLM SASL mechanism only. The TortoiseSVN client is running on Windows system that is in domain.
I'm getting password prompt that is satisfied by typing the domain credentials of the currently logged in user.
For Single Sign On (SSO) I expect immediate authentication without a need for retyping the domain credentials of the currently logged in user. Have you ment the same, please?
Best regards
Cc.
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2686478
Stefan Küng
> Hi Stefan,
>
>>> Interestingly enough TortoiseSVN client for the svn protocol
>>> (svnserve on the server) seems to support following SASL
>>> mechanics only:
>>>
>>> •ANONYMOUS •CRAM-MD5 •PLAIN •DIGEST-MD5 •LOGIN •NTLM
>>>
>>> --http://tortoisesvn.tigris.org/tsvn_1.5_releasenotes.html#cyrus-sasl
>>
>>
>>>
The NTLM mechanism is the one you want: it supports SSO on Windows if
>> you're part of a domain.
>
> I my case the svnserve server is configured for the NTLM SASL
> mechanism only. The TortoiseSVN client is running on Windows system
> that is in domain.
>
> I'm getting password prompt that is satisfied by typing the domain
> credentials of the currently logged in user.
>
> For Single Sign On (SSO) I expect immediate authentication without a
> need for retyping the domain credentials of the currently logged in
> user. Have you ment the same, please?
Since I've never used the GSSAPI NTLM module, I just thought it would
support SSO, but apparently its still needed to enter the credentials.
Stefan
--
___
oo // \\ "De Chelonian Mobile"
(_,\/ \_/ \ TortoiseSVN
\ \_/_\_/> The coolest Interface to (Sub)Version Control
/_/ \_\ http://tortoisesvn.net
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2686512
David Balažic
> Since I've never used the GSSAPI NTLM module, I just thought it would
> support SSO, but apparently its still needed to enter the credentials.
Firefox supports SSO without asking for user/pass (for pre-approved URLs only).
In case anyone is looking for a working example.
I don't know though what libraries they use.
Regards,
David
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2686521
Jean-Yves Avenard
> Hi all,
>
> does Tortoise SVN client 1.6.11 support Single Sign On (SSO) on Windows (7 64bit), please? If yes what conditions must be met, please?
>
A little while back, I provided patches to add GSSAPI support to TortoiseSVN.
Those patches have been committed to TSVN trunk, but won't make it to 1.7
If you search the archive you'll find the patch for the 1.6 branch ;
if you can't find it I have it somewhere still..
I've only tested with with MIT backend, but it should work with others.
Jean-Yves
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2692702
c...@viazenetti.de
I am realy sad to hear that this great feature did not make it into 1.7.
Is there a patch for 1.7 or would it be a lot of work to make a patch for 1.7?
Thanks Christian
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=3041542