Configuring Windows Authentication with Apache 2.2.x and Subversion

Posted by Dan on Nov 1, 2007 @ 6:57 PM

I've been working on our development server at work to try to help streamline some process. This included upgrade Subversion and Apache to the latest versions and installing Trac (so we can better track software issues.)

In order to really simplify being able to give developers and contractors access to the appropriate areas, I wanted to try and simplify the process by configuring Apache to use Windows Authentication. This allows us to control who has access to what, just by making them members of the appropriate groups.

Since I'm new to Apache, this whole process has taken longer than what I wanted—but I certainly learned a lot in the process.

Getting Windows Authentication configured in Apache wasn't too difficult. I decided to use mod-auth-sspi module since it seems to be the most popular one. When you go to download the module, you'll see file names that start with "mod_auth_sspi-1.0.4-". You'll want to download the file that ends in a version number matching your Apache install. I'm using Apache v2.2.4, so I downloaded the mod_auth_sspi-1.0.4-2.2.2.zip version. (NOTE: The main thing that's important is that you use the 2.0.x module for Apache v2.0.x and the 2.2.x module for Apache v2.2.x. The versions don't need to be identical.)

The mod_auth_sspi-1.0.4 zip file will contain /doc/ folder that has an INSTALL text file that tells you how to configure things. You'll want to copy the /bin/sspipkgs.exe to the /bin folder on your Apache install and the /bin/mod_auth_sspi.so to the /modules folder.

The installation tells you to load the mod_auth_sspi.so last. However, this is will not work if you plan on using SSPI with SVN. I believe technically you just need to load the module after the Apache mod_authn_alias.

In order to get the SSPI working with SVN, you need to load the mod_auth_sspi.so before you load the subversion modules. The order should look like: 

# Windows Authentication module
LoadModule sspi_auth_module   modules/mod_auth_sspi.so

# Subversion modules
LoadModule dav_svn_module modules/mod_dav_svn.so
LoadModule authz_svn_module modules/mod_authz_svn.so
NOTE:
Your Subversion installation also comes with copies of the mod_dav_svn.so and mod_authz_svn.so modules. I had no problems using the ones that shipped with Apache v2.2.4. However, if you are having problems try using the versions that are in the Subversion install folder. I'd recommend pointing right to that folder, so as you update Subversion the modules will be updated too.

I can't stress how important the order above is. I spent about 4-5 hours this afternoon troubleshooting things and it all came down to the order of the LoadModule commands. I was getting all sorts of "Authorization failed" and "RA layer request failed" error messages until I got the load order right. 

<Location /svnpath>
	# configure SVN
	DAV svn
	SVNListParentPath on
	# any "/svn/foo" URL will map to a repository /usr/local/svn/foo
	SVNParentPath c:/Repository/Path

	AuthName "Subversion Authentication"
	AuthType SSPI
	SSPIAuth On
	SSPIAuthoritative On
	# set the domain to authorize against
	SSPIDomain DOMAIN
	SSPIOmitDomain On      # keep domain name in userid string
	SSPIOfferBasic On      # let non-IE clients authenticate
	SSPIBasicPreferred Off # should basic authentication have higher priority
	SSPIUsernameCase lower

	# require the SVN Users group
	Require group "DOMAIN\Subversion Users"
</Location>
NOTE:
The words in red you'll want to configure to match your server's configuration. I believe the SSPIUsernameCase option is required, since the several of the Apache modules are case sensitive. By keeping everything lowercase it should help prevent problems when you're configuring things.

In the configuration above, anyone who is in the "Subversion Users" users group will have access to the location specified. For our purposes, you either have full access to the SVN or none at all. If you need to specify more granular control, you can use the AuthzSVNAccessFile command to specify a Subversion access file. This will allow you to control what permissions each user actually has. For information on using an access file, see Michael Flanakin's Windows Authentication with Subversion on Windows post.

It was actually Michael's post that got me straightened out about the order of the LoadModules.

Now that I have everything configured, I can now log in to Trac and Subversion (using TortoiseSVN or Subclipse) all using the same login credentials. Not only does this make it easier to Administrate in the long run, it makes it easier for our developers as well.

Now I just need to finish configuring Trac and get Mylin up and running!

Categories: JavaScript, Potpourri, HTML/ColdFusion, Flex/Flash, Java, Source Code

38 Comments

  • Reinaldo Coelho Sartorelli's Gravatar
    Reinaldo Coelho Sartorelli
    In my job, I need to have more granular control in SVN to Windows Users.

    My config is:

    #SSPI Modules
    LoadModule sspi_auth_module bin/mod_auth_sspi.so

    #SVN Modules
    LoadModule dav_svn_module bin/mod_dav_svn.so
    LoadModule authz_svn_module bin/mod_authz_svn.so

    <Location /svn/>
      DAV svn

      # path
      SVNListParentPath on
      SVNParentPath "C:/work/SVN_REPOS/"
      SVNIndexXSLT "/svnindex.xsl"
      SVNPathAuthz on

      # authentication
      AuthName "Subversion Authentication"
      AuthType SSPI
      SSPIAuth On
      SSPIAuthoritative On
      SSPIDomain DOMAIN
        SSPIOmitDomain On   # keep domain name in userid string
        SSPIOfferBasic On   # let non-IE clients authenticate
        SSPIBasicPreferred Off # should basic authentication have higher priority
        SSPIUsernameCase lower
      #Require valid-user
      Require group DOMAIN\GROUP

      # authorization
      AuthzSVNAccessFile "C:/work/SVN_REPOS//authz"

    </Location>

    But it not work fine :-(

    Can you helpe-me?

    Tks,
    Reinaldo.
  • Dan G. Switzer, II's Gravatar
    Dan G. Switzer, II
    @Reinaldo:

    What kind of problems are you having?

    I'm not an Apache-guru by any means, but maybe the quotes around your directory paths are causing a problem. Also, the path to your AuthzSVNAccessFile has double forward slashes in the path.
  • Dan G. Switzer, II's Gravatar
    Dan G. Switzer, II
    @Reinaldo:

    Also make sure that you've got the correct DOMAIN and GROUP's configured.
  • David's Gravatar
    David
    Does anyone know how the SSPIDomain Domain piece works? I did not specify my domain, but users in 3 different domains can authenticate just fine without any problems. I'd like to know if it picks up the domain name from the local machine that is authenticating.
  • Dan G. Switzer, II's Gravatar
    Dan G. Switzer, II
    @David:

    My guess is if you're not using Active Directory or a Domain controller, not specifying the SSPIDomain will go from the local. I have an AD server in my configuration and couldn't get it to work without specifically specifying the SSPIDomain.
  • Dave's Gravatar
    Dave
    Looks like if you do not specify a domain. If you are using AD it will traverse from the local machines trusted Domains list in order to authenticate a user. I now have this working for 3 different domains.

    Thanks for the writeup
  • Vishal Sharma's Gravatar
    Vishal Sharma
    Hi, I just wanted to check if its possible to do Windows Authentication without using Apache.

    Thanks
  • Dan G. Switzer, II's Gravatar
    Dan G. Switzer, II
    @Vishal:

    Since I've never used the built-in SVN server, I can't say for sure but I would you can't use Windows Authentication with svnserve (since the core of SVN is built to be OS agnostic.) When you run SVN via Apache, Apache is actually responsible for the authentication (not SVN) and since you can configure Apache for Windows Authentication, you can also authenticate your SVN repositories against your Windows user base.
  • Vishal Sharma's Gravatar
    Vishal Sharma
    I managed to configure stuff with Apache and Logins are now using Windows AD. But i have run into this strange problem now. I am unable to commit large files (files >100MB) to my svnserver. i get the below error -
    [Thu Jun 05 15:26:27 2008] [error] [client 10.10.8.163] (OS 87)The parameter is incorrect. : authentication failure for "/svn/vsharma/!svn/act/da4e41cf-788d-b14e-9258-0056d50729e9": user unknown, reason: cannot generate context

    However, smaller file commits work just fine. Any pointers?

    Thanks,

    (i am not sure if this is the right place to ask this question. Apologies in advance, if its not. Thanks again.)
  • Vishal Sharma's Gravatar
    Vishal Sharma
    Error Screen Cap is here

    [URL=http://img408.imageshack.us/my.php?image=svnerrorv...][IMG]http://img408.imageshack.us/img408/6926/svnerrorvm...[/IMG][/URL]
  • Dan G. Switzer, II's Gravatar
    Dan G. Switzer, II
    @Vishal:

    I'd recommend you post your question to the SVN mailing list. I wonder if your exceeding the http post limit of your Apache install or if there's a problem with your configuration. I don't think I've ever tried committing a single file that was over 100MB in size. I certainly have repositories that are much larger than that, but I'm not sure any one single file has ever exceeded 100MBs.
  • Terrence Montgomery's Gravatar
    Terrence Montgomery
    I would like to configure this for a standalone Windows XP and Apache 2.2.8 install.

    Does this mod allow Authentication against local Windows accounts? If so, has anyone gotten it to work succesfully. If so, can you provide the httpd.conf, specifically the "Load Module" lines and the "Directory" lines.

    So far, I have only gotten when following message when I type the credentials of a local Windows account:
    Authorization Required
    This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.

    I know that I am not mistyping the credentials, so I am posting here for more input.

    Thanks.
  • Dan G. Switzer, II's Gravatar
    Dan G. Switzer, II
    @Terrence:

    I've not tried getting Windows Authentication working under Windows XP--so I'm not sure. However, that's what I'd dig around with specifically. See if you can find anyone who's gotten Apache to authenticate against some local Windows XP accounts.

    It might be as simple as getting the DOMAIN option right (I might even try leaving that blank for local accounts.)
  • JV...'s Gravatar
    JV...
    Hi all..

    I'm trying to set it up so users can log on with Domain autentication or file, but can't get it to work... for some reason only the domain autentication works but not the file's... but if I comment all the SSPI part, it do work, so im kind of lost here... any idea??

    here is my code:

    LoadModule sspi_auth_module modules/mod_auth_sspi.so
    LoadModule dav_module modules/mod_dav.so
    LoadModule dav_svn_module modules/mod_dav_svn.so
    LoadModule auth_basic_module modules/mod_auth_basic.so
    LoadModule authz_svn_module modules/mod_authz_svn.so

    <Location /svn>
     DAV svn
     SVNListParentPath on
     SVNParentPath D:/SVN/Repository/

     AuthName "SVN Repository"
     AuthzSVNAccessFile conf/svnaccess.conf

      AuthType SSPI
      SSPIAuth On
    SSPIAuthoritative Off
      SSPIDomain NETDOM
      SSPIOfferBasic On
    ##########################
        AuthType Basic
    AuthBasicAuthoritative Off
        AuthUserFile conf/svnusers.conf

        Require valid-user
    </Location>

    By the way, this is Apache 2.2.8

    Thanks guys
  • Dan G. Switzer, II's Gravatar
    Dan G. Switzer, II
    @JV:

    I'm pretty sure you can only use one authorization method. So, you're either going to be using SVN or a conf file.

    What you could probably do is set up different "Location" directives--one for Windows Authentication and one for local authentication. That means the paths would be different, but that should allow you to use 2 different authentication schemes for the same physical directory.
  • JV...'s Gravatar
    JV...
    Thanks for the quick answer...

    on this webpage (http://tortoisesvn.net/docs/release/TortoiseSVN_en...), under the title Multiple Authentication Sources, they say it's possible, but the thing is they are using the module mod_auth.so which is vailable only in versions prior to 2.1 and don't work in 2.2.x
  • JV...'s Gravatar
    JV...
    thats why i'm using mod_auth_basic.so instead, but can't make it work
  • Jonas's Gravatar
    Jonas
    This works for me:
    #NT Domain Login
        SVNPathAuthz off
        AuthType SSPI
        SSPIAuth On
        SSPIAuthoritative On
        SSPIDomain <Domaincontroller>
        SSPIOfferBasic On

        #Htpasswd Logins
        AuthType Basic
        AuthBasicAuthoritative Off
        AuthUserFile passwd

        Require valid-user
  • ulli's Gravatar
    ulli
    Hi,

    I am getting the below error while trying to restart the apache.

    Can't laod D:\Apache Group\Apache2\modules\mod_auth_sspi.so into server; the specified module couldn't be found. But i have already i copied required module (version:mod_auth_sspi-1.0.4-2.2.2)into D:\Apache Group\Apache2\modules.

    here is my code.

    LoadModule dav_module modules/mod_dav.so
    LoadModule sspi_auth_module modules/mod_auth_sspi.so
    LoadModule dav_svn_module modules/mod_dav_svn.so
    LoadModule authz_svn_module modules/mod_authz_svn.so


    Apache version : 2.0
    please help me out.

    Thanks,
    Ulli.
  • Dan G. Switzer, II's Gravatar
    Dan G. Switzer, II
    @Ulli:

    I suggest you go to an Apache forum and pose your question there.
  • Gaurav's Gravatar
    Gaurav
    Hello

    I have implemented the "mod_auth_sspi" module according to suggested by you. Now my windows authentication is working fine. when i open my application then it first ask me the username and password. And if i provide the username and password then it allows me to log in.

    But i want my application automatically fetch the username and password if the user is already logged in to his/her machine and return the username for the further work.

    Any help would be greatly appriciated

    Thanks
  • Dan G. Switzer, II's Gravatar
    Dan G. Switzer, II
    @Gaurav,

    In order to do something like that, you'd need to write either a custom browser or create a browser plug-in that your users would need to install. Browsers don't have knowledge of your Windows authentication status, nor should they.
  • Manoj's Gravatar
    Manoj
    Not able to enable basic authentication on apache 2.2.9 in Redhat Linux. I am trying to use custom module in apache. Whenever I am send a request, apache does not ask for user name and pasword. While same thing works perfectly fine with apache 1.3.41.
    I am following the steps as under.
    ./configure --enable-ssl --enable-auth-digest --enable-mods-shared=rewrite --enable-auth-basic
    make, make install.
    Till this point it is successful.
    I am putting following in httpd.conf.
    <Location /wsman>
    SetHandler wsman-handler
    AuthType Basic
    AuthNameOPENWSMNA
    AuthUserFile /etc/openwsman/simple_auth.passwd
    Require valid-user
    Order allow,deny
    Allow from all
    </Location>

    Same setting works perfectly fine with apache 1.3. Can anybody point out where I am making mistake.
  • Dan G. Switzer, II's Gravatar
    Dan G. Switzer, II
    @Manoj:

    Make sure you're using a module compiled for your version of Apache. Modules have to be compiled for the version of Apache you're using.
  • Manoj's Gravatar
    Manoj
    Thanks Switzer for response.
    Where from I have to compile the module. In ./configure I have alreday mentioned to activate basic auth. Where from I will get mod_auth_basic?
    I am not even able to trigeer basic authentication with apache 2.2.9.
    I feel it should be some configuration option.
    My custom module I have already build successfully and working fine.
    -Manoj
  • Dan G. Switzer, II's Gravatar
    Dan G. Switzer, II
    @Manoj:

    I'd really recommend asking your questions on an Apache mailing list or forum.
  • et's Gravatar
    et
    good
  • madhu's Gravatar
    madhu
    Hi,

    need help. For one of my portal, i have configured Apache for SSPI authenticaton. But this happens for the entire portal. i want to give access to different pages with different users. How do i do it?

    bye the way, i havent used subversion n all..just sspi.
    thanks in advance..
    Madhu
  • Dan G. Switzer, II's Gravatar
    Dan G. Switzer, II
    @madhu:

    You'll need to set the directives for only the site and/or directory you want to secure. The Apache manual has lots of info on how to do this, or if you're still having problems I recommend checking out either the Apache mailing list or an Apache forum.
  • Mike Berman's Gravatar
    Mike Berman
    Dan, thanks for your post. With your notes, I was able to get this up and running quickly and with minimal issues.
  • Arindam Ray's Gravatar
    Arindam Ray
    I have the following entries in httpd.conf

    # Windows authentication module
    LoadModule sspi_auth_module  modules/mod_auth_sspi.so

    # subversion modules
    LoadModule dav_svn_module modules/mod_dav_svn.so
    LoadModule authz_svn_module modules/mod_authz_svn.so

    # Subversion location
    <Location /svn>
      DAV svn
      SVNParentPath "C:/svn_repository/"

      # authentication
      AuthName "Subversion Authentication"
      AuthType SSPI
      SSPIAuth On
      SSPIAuthoritative On
      SSPIDomain nclmiami
      SSPIOfferBasic On
      Require valid-user

      # authorization
      AuthzSVNAccessFile "C:/svn_repository/authorization.conf"
    </Location>


    When I am trying to access svn, it is asking for the user name & password. But after entering these, I am getting the following error:

    svn url access forbidden for unknown reason

    I am using apache 2.2.22
    and subversion 1.7.2

    Can you guys please help me.
  • Dan G. Switzer, II's Gravatar
    Dan G. Switzer, II
    @Arindam:

    My guess is your use of AuthzSVNAccessFile is causing problems. I don't believe you can mix and match authentication process. You're either authenticating against Windows or an AuthzSVNAccessFile file.
  • Arun's Gravatar
    Arun
    Hi,

     I have installed latest subversion 1.7.2 and apache http version 2.2.22. When i am trying to access from tortoise svn.

    Ex: http://servername

    i am getting the below error any idea, please help me to solve the below error.

    Unable to connect to a repository URL 'http://servername'. The OPTIONS request returned invalid XML in the response:XML parse error at line 1:no element found (http://servername)

    thanks
    Arun.
  • Dan G. Switzer, II's Gravatar
    Dan G. Switzer, II
    @Arun:

    I've never seen that error, so outside of using Google to search for solutions, I can't be of any help.

    I suggest you ask your problem on a SVN mailing list or forum where there's an active list of people who are intimately familiar with Subversion.
  • Vishu's Gravatar
    Vishu
    I am having Apache 2.2 running on Window7.
    facing problem in window auhentication wth mod_auth_sspi.so module
    I get the following error on browser [both IE (no login required) and firefox (after loggin in with windows ID)]
    "Token cannot be zero. ...
    Stack Trace:
    [ArgumentException: Token cannot be zero.]
      System.Security.Principal.WindowsIdentity.CreateFromToken(IntPtr userToken) +2175009
      System.Security.Principal.WindowsIdentity..ctor(IntPtr userToken, String authType, Int32 isAuthenticated) +80
    ... "
    The http.conf has the following entries for sspi

    LoadModule sspi_auth_module  modules/mod_auth_sspi.so
    ...
    <Directory "D:/html/forSite/cgi-bin/ProjectDetails">
      AuthType SSPI
      SSPIAuth On
      SSPIAuthoritative On
      SSPIDomain "HYPERTHERM"
      SSPIOfferBasic On
      Require valid-user
    </Directory>

    Can any one help.
    Thanks
  • Sean's Gravatar
    Sean
    Hey Guys,

    Apache, 2.2.22, subversion 3.0.1-3150.92 (Collabnet), Win2008 server.

    Issue: When using sspi, hit esc 4 or 5 times and get past the logon prompt to the content.

    Site prompts for credentials fine but if you hit esc four or five times you get the page (/viewvc/repq) anyway but without any formatting. Like the css was denied access but the content wasn't. Clicking any link on the unformatted page will behave the same ... hit esc enough and you get in.

    Any ideas why this is happening?



    <Location />
      AuthName "Subversion Authentication"
      AuthType SSPI

      SSPIAuth On
      SSPIAuthoritative On
      SSPIDomain domain
      SSPIOmitDomain On
      SSPIPerRequestAuth On
      SSPIOfferBasic Off
      SSPIBasicPreferred Off
      SSPIUsernameCase lower

      #require valid-user
      Require group domain\Sec.SVN
    </Location>



    Thanks
    -Sean
  • GEORGE VARGHESE's Gravatar
    GEORGE VARGHESE
    Hi,
    I have configured a module name mod_wsman in apache. In this module handler function I have checked the r->handler is "wsman-handler"... But I checked the url , the r->handler was null. How to set the http request handler as wsman-handler.

    please help me
  • JJ's Gravatar
    JJ
    Awesome blog. I am newbie with PHP. Trying to connect to sql server using windows auth from a php files for daily sustainment work. Where it says <Location /svnpath> which file is that is that httpd file or htaccess file?

    Thanks

Comments for this entry have been disabled.