Tuesday, January 8, 2013

TortoiseSVN with kerberos authentication

I'm a big fan of TortoiseSVN (TSVN, short) on Windows. Working with multiple SVN servers and different authentication methods has its pitfalls, however.
I just found out how to make the current TSVN (1.7.11 as of this writing) work with Kerberos authentication on a Linux server that uses krb5 as I previously described here.

Of couse no other than Stephan K√ľng, the developer of TSVN himself provided the answer here. For those tl;dr folks, here's the relevant part that needs to be modified in TSVN's server file:

http-library = serf

This makes TSVN use the serf library for authentication instead of neon, the default. This actually lets single-sign-on work from a Windows box to a Linux subversion server (AFAIK using GSSAPI for authentication) using krb5 within the same Active Directory. 
However, it breaks single-sign-on from a Windows box to a Windows subversion server (AFAIK using SSPI for authentication) within the same Active Directory.

Luckily, TSVN is capable of having server- and site-specific settings in it's server file. I created a group with my Linux subversion server as only member, and had TSVN just use serf there.
Here's an example:
mylinuxserver = svn.linux.subnet

http-library = serf
This worked like a charm, now I've got single-sign-on working to my Windows and Linux svn servers.


Chris Privitere said...

Are you able to get the tortoise command line utilities to work with kerberos as well?

fizze said...

Yes, they work like a charm.

On a sidenote, From Subversion-1.8.0 only serf is supported. So it's no longer required to change the config.
The change to 1.8.0 brings other caveats though, as I've written about here: http://ingenious-excerpts.blogspot.com/2013/07/tortoisesvn-180-and-ntlm-authentication.html