Cannot authent to SSPI and password file in Apache 2.2

Brought to you by: gknauf, tjcostel

#3 Cannot authent to SSPI and password file in Apache 2.2

Status: open

Owner: nobody

Labels: None

Priority: 5

Updated: 2008-12-08

Created: 2008-12-08

Creator: Craig McQueen

Private: No

According to:
http://tortoisesvn.net/docs/nightly/TortoiseSVN_en/help-onepage.html#tsvn-serversetup-apache-6
it should be possible to set up Apache to authenticate to both SSPI and a password file.

I'm trying to get this working on a Windows Apache 2.2 server, but without success. SSPI works on its own, and the password file works on its own. But if I try to use both together, as described, then authenticating against the SSPI works but authenticating against the password file fails.

I'm wondering: does this solution simply not work on Apache 2.2.x due to changes to the authentication/authorization setup in Apache 2.2.x?

I'm interested to know if anyone else has tried this on Apache 2.2.x, and if you ended in success or failure.

Discussion

Craig McQueen - 2010-03-18

See also this forum message:

https://sourceforge.net/projects/mod-auth-sspi/forums/forum/550583/topic/3565821/index/page/1

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Paul Dotsenko - 2010-03-18

I have the exact same issue you described - trying to set up both SSPI and Basic/password file authentication for Subversion on Apache 2.2.14. This setup currently works for me on Apache 2.0.58. Here is the Location configuration snippet I've tried (works on Apache 2.0.58 but not on 2.2.14):

<Location /svn>
DAV svn
SVNListParentPath on
SVNParentPath C:/svn_repository
SSLRequireSSL

AuthType Basic
#AuthAuthoritative Off
AuthName "Subversion repositories"
AuthUserFile C:/svn_repository/password-file

AuthType SSPI
SSPIAuth On
SSPIAuthoritative Off
SSPIOfferSSPI Off
SSPIOfferBasic On
SSPIBasicPreferred On
#SSPIDomain mydomain

Require valid-user
</Location>

Like in your case, SSPI and password-file authentication work separately but not together. Hope this helps.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Paul Dotsenko - 2010-03-19

I found a workaround for Apache 2.2 that worked for me, courtesy of http://krangsquared.blogspot.com/2008/02/configuring-subversion-authentication.html. The idea is defining two "Location" elements in Apache 2.2 config - one for Windows AD authentication (for most internal svn users) and one Basic password-file authentication (for the few external or non-Windows domain users). This essentially creates two virtual URLs to the same svn repository allowing two distinct authentication methods - not perfect, but better than being stuck on Apache 2.0. Here is an example:
#This Location is for Windows AD authentication only
<Location /svn>
DAV svn
SVNListParentPath on
SVNParentPath C:/svn_repository
SSLRequireSSL

AuthType SSPI
SSPIAuth On
SSPIAuthoritative On
SSPIDomain somedomain

Require valid-user
</Location>
#This location is for Basic password-file based authentication for external users
<Location /svnext>
DAV svn
SVNListParentPath on
SVNParentPath C:/svn_repository
SSLRequireSSL

AuthType Basic
#AuthAuthoritative Off
AuthName "Subversion repositories"
AuthUserFile C:/svn_repository/password-file

Require valid-user
</Location>
HTH

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Log in to post a comment.