Installing Subversion with Windows Authentication - the easy way
So you are developing on a Windows platform and you are part of a Windows domain, but you want to set up Subversion to use your domain credentials. Not a problem - all you need is a Windows XP SP2 or a Windows 2003 machine to host Subversion on.
Here are the steps
Download and install CollabNet Subversion
It is important that you download CollabNet's Subversion, as it will install and integrate the Apache web server as well. Here are screenshots showing some of the options that must be selected during the installation process:
- Make sure that you select Apache as your Subversion server. We can only use Windows authentication with the Apache server.
- Enter the name of your server (probably NOT localhost). Don't use port 80 if you have IIS installed on the machine as well. Repository path is a local path on the machine where the Subversion repositories will be located. For some reason the Apache configuration does not like spaces in this path name, so make it simple like C:\Repo. Repository url is the folder in the url that will be used to access the Subversion repository. In this example, the url to access the repository will be http://localhost:80/svn.
-
Select the folder where you want Subversion and Apache to be installed. For the rest of this post, we'll assume that it is installed to the folder C:\Program Files\CollabNet Subversion Server\
-
And you're done!
Download and install the SSPI Authentication module
The SSPI Authentication module (mod_auth_sspi) is the magic potion that allows your domain credentials to be sent to Subversion. Download a copy at http://sourceforge.net/projects/mod-auth-sspi. Make sure that the version number has the appropriate Apache version number in it.
Once you have downloaded it, extract it and copy the files in the bin folder to C:\Program Files\CollabNet Subversion Server\httpd\modules.
Configure Apache
Open the httpd.conf file located in C:\Program Files\CollabNet Subversion Server\httpd\conf in your favourite text editor. Find the section in the file where there are several lines starting with LoadModule and add the following line of text at the end:
LoadModule sspi_auth_module modules/mod_auth_sspi.so
Then go to the end of the file and you will find a block that starts with <Location /svn> (if you used svn as your repository url in the installation). Change this block to look like this:
<Location /svn>
DAV svn
SVNParentPath C:\repo
AuthName "Subversion"
AuthType SSPI
SSPIAuth On
SSPIAuthoritative On
SSPIDomain TRUMPI
require valid-user
</Location>
Replace TRUMPI with the name of your Windows domain, and replace C:\repo with the root location of your Subversion repositories.
Install Apache as a Windows service
Run the following two commands:
apache -k install
apache -k start
Create a repository
From the command line, run the following commands to create a Subversion repository:
cd C:\repo
svnadmin create trumpi
Of course, replace trumpi with the name of the repository that you want to create. You can checkout the repository using the url http://localhost:80/svn/trumpi, assuming you've used the same configuration as in this tutorial. Replace localhost with the name of the machine that you are using, replace 80 with the port name that you are using, replace svn with the repository url that you specified in the CollabNet Subversion installation, and replace trumpi with the name of the Subversion repository that you just created.
Some additional stuff
If you want to customise the authorisation within your Subversion repository, then take a look at this post. I have not tried this scenario yet, and I hope to make a post in the future that explores this.
As mentioned before, the magic potion in authenticating using your Windows credentials is the mod_auth_sspi Apache module. The zip file contains documentation that points you in the right direction to specify additional authentication options. Here are a few interesting options:
SSPIAuth - set to 'on' to activate SSPI authentication here
SSPIOfferSSPI - set to 'off' to allow access control to be passed along to lower modules if the UserID is not known to this module
SSPIAuthoritative - set to 'off' to allow access control to be passed along to lower modules if the UserID is not known to this module
SSPIOfferBasic - set to 'on' to allow the client to authenticate against NT with 'Basic' authentication instead of
using the NTLM protocol
SSPIPackage - set to the name of the package you want to use to authenticate users
SSPIDomain - set to the domain you want users authenticated against for cleartext authentication - if not specified, the local machine, then all trusted domains are checked
SSPIOmitDomain - set to 'on' if you want the usernames to have the domain prefix OMITTED, on = user, off = DOMAIN\user
SSPIUsernameCase - set to 'lower' if you want the username and domain to be lowercase, set to 'upper' if you want the username and domain to be uppercase, if not specified, username and domain case conversion is disabled
SSPIBasicPreferred - set to 'on' if you want basic authentication to be the higher priority
SSPIMSIE3Hack - set to 'on' if you expect MSIE 3 clients to be using this server
The require directive can take the following forms (based on the old mod_auth):
require valid-user - any valid user will do, useful for logging who accessed each file, for example
require user DOMAIN\Username - require a specific user
require group DOMAIN\Groupname - require a group member
require user "NT DOMAIN\User name" - require a user with spaces in logon id