Resolving Mylyn "Insufficient permissions" when connecting to Trac/Apache

Posted by Dan on Feb 16, 2010 @ 11:40 AM

For the longest time I've been stuck on Mylyn Eclipse Plug-in v3.0.5—which is very old. Every time I attempted to upgrade to a newer version, Mylyn could no longer authenticate against my Trac installation on Apache. It was a frustrating problem, because I really wanted to upgrade to take advantage of a number of enhancements and fixes.

Today I went upgrade another plug-in and figured I'd try the latest version of Mylyn to see if my issue was resolved. Unfortunately, I was still getting the error "Insufficient permissions for selected access type" anytime Mylyn would try to authenticate via the XML-RPC method. What was really strange, is when I tried connecting via the "Web" method, everything worked fine (which was a new behavior.) So, I decided to spend some time in Charles HTTP Proxy to see if I could debug the issue.

I spent some time monitoring the HTTP traffic, but really couldn't find any rhyme or reason why the authentication was failing. So, I decided to investigate my Apache modules to see if there were any updates to the authentication modules I was using.

One aspect of my Apache configuration that is a little different is that I use mod-auth-sspi module because I authenticate against our Active Directory server (see Configuring Windows Authentication with Apache 2.2.x and Subversion.) After much research and playing around with our configuration, I finally discovered the fix for my problem.

There's apparently an issue with the case that Mylyn sends the authentication information in, the trick was to change my Apache configuration and add the line: SSPIUsernameCase lower

Here's what my authentication configuration rules look like in my Apache httpd.conf file:

AuthType SSPI
SSPIAuth On
SSPIAuthoritative On
# set the domain to authorize against
SSPIDomain AD
SSPIOfferBasic On      # let non-IE clients authenticate
SSPIOmitDomain On      # keep domain name in userid string
SSPIBasicPreferred Off # basic authentication should have higher priority
SSPIPerRequestAuth On  # required for IE POST operations
SSPIUsernameCase lower

So, if you're having mystery issues with applications authenticating against your Apache server and your using SSPI, you might try implement the SSPIUsernameCase lower directive.

Categories: Potpourri, Source Code

Comments for this entry have been disabled.