subversion + neon + windows + mod_kerb = InitializeSecurityContext SEC_E_INTERNAL_ERROR

Kaltenberger, Stefan Stefan.Kaltenberger at fabasoft.com
Mon Oct 17 11:22:53 EDT 2011


Hi,

I'm also struggling with this problem:

svn: E170001: Unable to connect to a repository at URL 'http://host.mycompany.com/svn/project'
svn: E170001: OPTIONS of 'http://host.mycompany.com/svn/project': authorization failed: Could not authenticate to server:
 GSSAPI authentication error:  (http://host.mycompany.com)

After some investigations I tracked down this issue to the following change of the TortoiseSVN guys (see http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2664118):

Revision: 20229
Author: tortoisesvn
Date: 03.10.2010 14:15:50
Message:
Patch from Jean-Yves Avenard:
Make the build system include GSSAPI.
----
Modified : /trunk/ext/build/neon.build
Modified : /trunk/ext/build/sasl.build
Modified : /trunk/src/TortoiseSVNSetup/StructureFragment.wxs
Added : /trunk/ext/build/gssapi.build
Modified : /trunk/ext/build/default.build
Added : /trunk/ext/gssapi
Added : /trunk/ext/gssapi/gssapi.cpp
Added : /trunk/ext/gssapi/gssapi.h

It seams to me that activating GSSAPI (using the HAVE_GSSAPI definition) breaks the SSPI support. I have tried to workaround the issue by reverting the changes of the neon.build file, but this only changes the error message:

ah_create, for WWW-Authenticate
ah_post_send (#0), code is 401 (want 401), WWW-Authenticate is Negotiate
auth: Got challenge (code 401).
auth: Got 'Negotiate' challenge.
auth: Trying Negotiate challenge...
auth: SSPI challenge.
sspi: Created context with SPN 'HTTP/host.mycompany.com'
auth: SSPI challenge [YIIN...very long base64 string...==]
auth: Accepted Negotiate challenge.
auth: Sending 'Negotiate' response.
ah_post_send (#1), code is 200 (want 401), WWW-Authenticate is Negotiate oYG4...short base64 string...==
auth: SSPI challenge.
InitializeSecurityContext [fail] SEC_E_INVALID_TOKEN.
sspi: initializeSecurityContext [failed] [80090308].
svn: E175002: Unable to connect to a repository at URL 'http://host.mycompany.com/svn/project'
svn: E175002: OPTIONS of 'http://host.mycompany.com/svn/project': 200 OK (http://host.mycompany.com)

The error code "200 OK" seems weird - doesn't this mean everything is okay (but is at least not expected: want 401)? The httpd error log file also shows an "access granted" entry when using debug level logging.

As a workaround I've now built the Subversion client using neon 0.28.6 + OpenSSL patch (regarding SSL_SESSION_cmp) which works fine:

ah_create, for WWW-Authenticate
ah_post_send (#0), code is 401 (want 401), WWW-Authenticate is Negotiate
auth: Got challenge (code 401).
auth: Got 'Negotiate' challenge.
auth: Trying Negotiate challenge...
auth: SSPI challenge.
sspi: Created context with SPN 'HTTP/host.mycompany.com'
auth: SSPI challenge [YIIN...very long base64 string...]
auth: Accepted Negotiate challenge.
auth: Sending 'Negotiate' response.
ah_post_send (#1), code is 200 (want 401), WWW-Authenticate is Negotiate oYG4...short base64 string...==
ah_create, for WWW-Authenticate
auth: Sending 'Negotiate' response.
ah_post_send (#0), code is 200 (want 401), WWW-Authenticate is (none)
ah_create, for WWW-Authenticate
auth: Sending 'Negotiate' response.
ah_post_send (#0), code is 207 (want 401), WWW-Authenticate is (none)
ah_create, for WWW-Authenticate
auth: Sending 'Negotiate' response.
ah_post_send (#0), code is 207 (want 401), WWW-Authenticate is (none)

It seems to me that there is some kind of SSPI authentication regression in the 0.29.x branch (and the trunk as well), but I'm not an expert on the authentication topic nor on the neon library, so is there anybody out there who can help?

BTW: The serf library is not an option for me, because the performance (at least in my environment) is very bad.

Regards, Stefan

-----Original Message-----
From: neon-bounces at lists.manyfish.co.uk [mailto:neon-bounces at lists.manyfish.co.uk] On Behalf Of Alon Bar-Lev
Sent: Dienstag, 04. Oktober 2011 00:19
To: Alon Bar-Lev; neon at lists.manyfish.co.uk
Subject: Re: subversion + neon + windows + mod_kerb = InitializeSecurityContext SEC_E_INTERNAL_ERROR


Well,

Just found that Subversion 1.7 (TortoiseSVN-1.7rc1) with serf-1.0.0
supports negotiation.

And it just works!
Serf even does not have the restriction of doing negotiate in TLS...
So much easier to look at using wireshark.

BTW: neon in this release does not even request ticket for target
server... And fails for unknown GSS error.
---
svn: E170001: OPTIONS of
'https://correlux-gentoo.correlsense.com/svn/Test': authorization
failed: Could not authenticate to server: GSSAPI authentication error:
 (https://correlux-gentoo.correlsense.com)
---

So we have even further regression in neon, and huge success for serf.

Alon.

On Mon, Oct 3, 2011 at 11:40 PM, Alon Bar-Lev <alon.barlev at gmail.com> wrote:
> On Mon, Oct 3, 2011 at 11:37 PM, Joe Orton <joe at manyfish.co.uk> wrote:
>> Was there a description of that failure mode?  I didn't see that.
>
> What do you mean?
> I sent all my experiments in this thread.
> Which code exactly are you looking for, I will resend whatever needed.
>



More information about the neon mailing list