Tuesday, January 8, 2013

TortoiseSVN with kerberos authentication

I'm a big fan of TortoiseSVN (TSVN, short) on Windows. Working with multiple SVN servers and different authentication methods has its pitfalls, however.
I just found out how to make the current TSVN (1.7.11 as of this writing) work with Kerberos authentication on a Linux server that uses krb5 as I previously described here.



Of couse no other than Stephan K√ľng, the developer of TSVN himself provided the answer here. For those tl;dr folks, here's the relevant part that needs to be modified in TSVN's server file:

[global]
http-library = serf

This makes TSVN use the serf library for authentication instead of neon, the default. This actually lets single-sign-on work from a Windows box to a Linux subversion server (AFAIK using GSSAPI for authentication) using krb5 within the same Active Directory. 
However, it breaks single-sign-on from a Windows box to a Windows subversion server (AFAIK using SSPI for authentication) within the same Active Directory.

Luckily, TSVN is capable of having server- and site-specific settings in it's server file. I created a group with my Linux subversion server as only member, and had TSVN just use serf there.
Here's an example:
[groups]
mylinuxserver = svn.linux.subnet


[mylinuxserver]
http-library = serf
This worked like a charm, now I've got single-sign-on working to my Windows and Linux svn servers.

2 comments:

Chris Privitere said...

Are you able to get the tortoise command line utilities to work with kerberos as well?

fizze said...

Yes, they work like a charm.

On a sidenote, From Subversion-1.8.0 only serf is supported. So it's no longer required to change the config.
The change to 1.8.0 brings other caveats though, as I've written about here: http://ingenious-excerpts.blogspot.com/2013/07/tortoisesvn-180-and-ntlm-authentication.html