Well, Just found that Subversion 1.7 (TortoiseSVN-1.7rc1) with serf-1.0.0 supports negotiation.
And it just works! Serf even does not have the restriction of doing negotiate in TLS... So much easier to look at using wireshark. BTW: neon in this release does not even request ticket for target server... And fails for unknown GSS error. --- svn: E170001: OPTIONS of 'https://correlux-gentoo.correlsense.com/svn/Test': authorization failed: Could not authenticate to server: GSSAPI authentication error: (https://correlux-gentoo.correlsense.com) --- So we have even further regression in neon, and huge success for serf. Alon. On Mon, Oct 3, 2011 at 4:47 PM, Alon Bar-Lev <[email protected]> wrote: > Hi, > > I already search for all information I could, read most of them. > I know neon is problematic, I had issues before. > All eventually resolved after a lot of tears, as Microsoft does not > support decent logging. > > Alon > > On Mon, Oct 3, 2011 at 4:33 PM, Douglas E. Engert <[email protected]> wrote: >> >> >> On 10/3/2011 9:12 AM, Alon Bar-Lev wrote: >>> Hello, >>> >>> I have configuration of active directory 2003 r2 sp3 working with >>> linux mod_auth_kerb. >>> I use SPNEGO for subversion. >>> When using Linux all work great! >>> When using Windows XP(and Windows 7) Firefox/IE/cifs client work great. >>> >>> Problem is subversion which uses neon, it get the following: >> >> Googling for: neon SPNEGO >> shows a lot of issues. Maybe you are seeing one of them? >> >> >>> --- >>> Running post_send hooks >>> ah_post_send (#1), code is 201 (want 401), WWW-Authenticate is Negotiate >>> oYGfMIG >>> coAMKAQChCwYJKoZIhvcSAQICooGHBIGEYIGBBgkqhkiG9xIBAgICAG9yMHCgAwIBBaEDAgEPomQwYqA >>> DAgEXolsEWTLvPLmZvxBgaMEmPDDTIeG9bdJ5rmfTEtsj6Cv9eF9s9Z8sBWhVhPXYzIVsm/sw0hqR+1u >>> DM9frpOeV2Y0YGtDk2flN5iOM/HdEujj0GXAYEWHvPp/3kSc2 >>> auth: SSPI challenge. >>> InitializeSecurityContext [fail] [80090304]. >>> sspi: initializeSecurityContext [failed] [80090304]. >>> --- >>> >>> At windows event log I see the following: >>> --- >>> Event Type: Warning >>> Event Source: LSASRV >>> Event Category: SPNEGO (Negotiator) >>> Event ID: 40962 >>> Date: 10/3/2011 >>> Time: 3:55:38 PM >>> User: N/A >>> Computer: VALON >>> Description: >>> The Security System was unable to authenticate to the server >>> HTTP/correlux-gentoo.correlsense.com because the server has completed >>> the authentication, but the client authentication protocol Kerberos >>> has not. >>> >>> For more information, see Help and Support Center at >>> http://go.microsoft.com/fwlink/events.asp. >>> --- >>> >>> Had anyone seen this before? >>> I tried many configurations, but without success: >>> --- >>> Gentoo >>> --- >>> dev-libs/openssl-1.0.0e -> also downgraded to openssl-0.9.8f >>> www-servers/apache-2.2.21 >>> www-apache/mod_auth_kerb-5.4 -> also downgraded to mod_auth_kerb-5.1 >>> net-fs/samba-3.5.11 >>> app-crypt/mit-krb5-1.9.1 -> also downgraded to 1.6.3 >>> --- >>> >>> The strange thing is that I have centos server on the same network >>> with *MUCH* older packages and it does work... >>> --- >>> CentOS >>> --- >>> openssl-0.9.8e-20.el5 >>> httpd-2.2.3-53.el5.centos.1 >>> mod_ssl-2.2.3-53.el5.centos.1 >>> mod_auth_kerb-5.1-3.el5 >>> samba-3.0.33-3.29.el5_7.4 >>> krb5-workstation-1.6.1-62.el5 >>> --- >>> >>> I cannot reach this old state at Gentoo, but I cannot explain the >>> difference between the two machines, I use the same procedure to add >>> them to the domain: >>> <edit smb.conf> >>> net ads join >>> net ads keytab create >>> net ads keytab add HTTP cifs >>> >>> The same configuration for both. >>> >>> I don't know how to activate logs at Microsoft end... >>> I tried to add Lsa\Kerberos\Parameters debug and logging keys but >>> nothing is generated. >>> >>> Any clue? >>> >>> Thanks, >>> Alon. >>> ________________________________________________ >>> Kerberos mailing list [email protected] >>> https://mailman.mit.edu/mailman/listinfo/kerberos >>> >>> >> >> -- >> >> Douglas E. Engert <[email protected]> >> Argonne National Laboratory >> 9700 South Cass Avenue >> Argonne, Illinois 60439 >> (630) 252-5444 >> ________________________________________________ >> Kerberos mailing list [email protected] >> https://mailman.mit.edu/mailman/listinfo/kerberos >> > ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
