[FE-4879] Problems authenticating against NTLM challenge with VisualSVN server

Type: Bug
Resolution: Fixed
Priority: Low
Fix Version/s: N/A
Affects Version/s: 3.0.0, 3.1.0, 4.4.1, 4.5.0
Component/s: Indexing
Labels:
- release-48x
- subversion
- support-hot
- svn
- svnkit

Symptom Severity:
Severity 3 - Minor
UIS:
5
Bug Fix Policy:
View Atlassian Server bug fix policy

HTR:

Install VisualSVN enterprise
Enable Windows authentication
Try to authenticate against the server in FishEye

2013-09-20 10:30:41,361 DEBUG [qtp1564035725-243 ] fisheye ProfilingServletFilter-logRequest - start request POST /fecru/gwt/RepositoryAdminRpcService sessionid=63ux2ajuv6j05j3xen8lj0fk
2013-09-20 10:30:41,368 DEBUG [qtp1564035725-243 ection-1379665841363] fisheye SvnRepositoryTester-checkRepoSettings - Checking repository:  ntlm:https://fecru-komputer/svn/test/
2013-09-20 10:30:41,369 DEBUG [SvnExecution4 testing] fisheye SvnTask-run - Executing svn info -r HEAD https://fecru-komputer/svn/test/@HEAD
2013-09-20 10:30:41,388 DEBUG [SvnExecution4 testing] fisheye SvnPasswordSupplier-prompt - prompting for realm: <https://fecru-komputer:443> with username: FECRU-KOMPUTER\\fecru, maySave = true
2013-09-20 10:30:41,388 DEBUG [SvnExecution4 testing] fisheye SvnPasswordSupplier-getPassword - Getting password
2013-09-20 10:30:41,392 WARN  [qtp1564035725-243 ection-1379665841363] fisheye SvnRepositoryTester-getServerRootURL - Unable to get info for the repository root for ntlm
com.cenqua.fisheye.rep.RepositoryClientException: org.apache.subversion.javahl.ClientException: svn: E170001: Negotiate authentication failed: 'No valid credentials provided'
	at com.cenqua.fisheye.svn.SvnThrottledClient.executeNoThrottle(SvnThrottledClient.java:176)
	at com.cenqua.fisheye.svn.SvnThrottledClient.execute(SvnThrottledClient.java:145)
	at com.cenqua.fisheye.svn.SvnThrottledClient.info(SvnThrottledClient.java:110)
	at com.cenqua.fisheye.svn.SvnRepositoryTester.getServerRootURL(SvnRepositoryTester.java:91)
...
Caused by: org.apache.subversion.javahl.ClientException: svn: E170001: Negotiate authentication failed: 'No valid credentials provided'
	at org.apache.subversion.javahl.ClientException.fromException(ClientException.java:68)
	at org.tmatesoft.svn.core.javahl17.SVNClientImpl.getClientException(SVNClientImpl.java:1274)
...
Caused by: org.tmatesoft.svn.core.SVNAuthenticationException: svn: E170001: Negotiate authentication failed: 'No valid credentials provided'
	at org.tmatesoft.svn.core.internal.wc.SVNErrorManager.error(SVNErrorManager.java:62)
	at org.tmatesoft.svn.core.internal.wc.SVNErrorManager.error(SVNErrorManager.java:51)
	at org.tmatesoft.svn.core.internal.io.dav.http.DefaultHTTPNegotiateAuthentication$1.run(DefaultHTTPNegotiateAuthentication.java:175)
	at org.tmatesoft.svn.core.internal.io.dav.http.DefaultHTTPNegotiateAuthentication$1.run(DefaultHTTPNegotiateAuthentication.java:166)
	at org.tmatesoft.svn.core.internal.io.dav.http.DefaultHTTPNegotiateAuthentication.authenticate(DefaultHTTPNegotiateAuthentication.java:221)

Workaround:

1. Enable basic auth in VisualSVN, potentially also using native svn client.

2. Customer implemented workaround: enable the svn protocol on the VisualSVN server so access the repository with the svn: protocol.

Resolution
https://confluence.atlassian.com/fishkb/fisheye-and-ntlm-1189783826.html

is related to

FE-5329 Native Subversion Client setting will not save the authentication in cache causing authentication error

Closed

mentioned in: Page Failed to load; Page Failed to load; Page Failed to load; Page Failed to load

David Mason added a comment - 27/Apr/2021 12:20 PM

I'm not a Java or Linux developer and don't know what the situation is in those spaces, but impersonation of the specified username/password is quite easy with .NET (https://stackoverflow.com/questions/125341/how-do-you-do-impersonation-in-net).

For a Windows server application I use LOGON32_LOGON_BATCH instead of LOGON32_LOGON_INTERACTIVE. This requires that in the server's local security policy (Admin Tools | Local Security Policy | Local Policies | User Rights Assignment), the login that Fecru runs under requires "Impersonate a user after authentication" and the impersonated account requires "Log on as a batch job".

David Mason added a comment - 27/Apr/2021 12:20 PM I'm not a Java or Linux developer and don't know what the situation is in those spaces, but impersonation of the specified username/password is quite easy with .NET ( https://stackoverflow.com/questions/125341/how-do-you-do-impersonation-in-net). For a Windows server application I use LOGON32_LOGON_BATCH instead of LOGON32_LOGON_INTERACTIVE. This requires that in the server's local security policy (Admin Tools | Local Security Policy | Local Policies | User Rights Assignment), the login that Fecru runs under requires "Impersonate a user after authentication" and the impersonated account requires "Log on as a batch job".

Michael Mohr added a comment - 12/Dec/2018 7:44 AM

I really can't believe that this security important issue is still open. As at Diebold Nixdorf as enterprise company it is not allowed to connect to Subversion in any other fashion than via https and native windows AD authentication. With the problem described in this issue it is not possible for us to use Fisheye.

So please and finally after several year fix this security issue with fisheye!

Michael Mohr added a comment - 12/Dec/2018 7:44 AM I really can't believe that this security important issue is still open. As at Diebold Nixdorf as enterprise company it is not allowed to connect to Subversion in any other fashion than via https and native windows AD authentication. With the problem described in this issue it is not possible for us to use Fisheye. So please and finally after several year fix this security issue with fisheye!

David.Cecil@drs.com added a comment - 17/May/2017 2:00 PM

I have the same problem with Visual SVN and Crucible with Windows NTLM authentication. Would really like for Atlassian to come up with a solution. It's been years since this was originally reported as a problem, it seems.

David.Cecil@drs.com added a comment - 17/May/2017 2:00 PM I have the same problem with Visual SVN and Crucible with Windows NTLM authentication. Would really like for Atlassian to come up with a solution. It's been years since this was originally reported as a problem, it seems.

Chris Watts added a comment - 27/Sep/2016 6:56 AM

To anyone reading this "minor" bug report in the future.. the work around is to enable the svn protocol on the VisualSVN server (so you end up being able to access the server by svn://yourserver/repositoryname. if you enable anonymous read in the svnserve.conf files for each repository, the crucible server will be able to read, and work as normal.

Chris Watts added a comment - 27/Sep/2016 6:56 AM To anyone reading this "minor" bug report in the future.. the work around is to enable the svn protocol on the VisualSVN server (so you end up being able to access the server by svn://yourserver/repositoryname. if you enable anonymous read in the svnserve.conf files for each repository, the crucible server will be able to read, and work as normal.

Nathan Taylor added a comment - 26/Sep/2016 4:08 PM

Evaluating Crucible as well and will not be able to use the product without this being resolved.

Nathan Taylor added a comment - 26/Sep/2016 4:08 PM Evaluating Crucible as well and will not be able to use the product without this being resolved.

Chris Watts added a comment - 20/Sep/2016 10:43 AM

Cant believe this is "minor". To enable basic auth sets our entire source control system back a year, in addition to being completely ridiculous! with Jetbrains stuff, i can put "Domain\User" and that works, why cant i do that with Atlassian stuff? currently evaluating crucible and getting very frustrated with it.

Chris Watts added a comment - 20/Sep/2016 10:43 AM Cant believe this is "minor". To enable basic auth sets our entire source control system back a year, in addition to being completely ridiculous! with Jetbrains stuff, i can put "Domain\User" and that works, why cant i do that with Atlassian stuff? currently evaluating crucible and getting very frustrated with it.

dplesa added a comment - 09/Sep/2016 10:12 PM

Cant believe that this is marked as MINOR an not yet solved! This prevents my company from using FishEye...

dplesa added a comment - 09/Sep/2016 10:12 PM Cant believe that this is marked as MINOR an not yet solved! This prevents my company from using FishEye...

Foong (Inactive) added a comment - 11/Sep/2014 7:29 AM

when using Native Subversion Client, we will need to login as the user and perform a svn command to cache the credential

https://jira.atlassian.com/browse/FE-5329

Foong (Inactive) added a comment - 11/Sep/2014 7:29 AM when using Native Subversion Client, we will need to login as the user and perform a svn command to cache the credential https://jira.atlassian.com/browse/FE-5329

Foong (Inactive) added a comment - 11/Sep/2014 6:55 AM - edited

I found out that when using NTLM authentication in Subversion server, if the FishEye/Crucible server is started with the user "UserA", we need to use the credential for the user "UserA" for the repository setting in FishEye/Crucible.

If FishEye/Crucible is started by "UserA" and then we try to use "UserB" credential in the repository, it will have authentication error.

Foong (Inactive) added a comment - 11/Sep/2014 6:55 AM - edited I found out that when using NTLM authentication in Subversion server, if the FishEye/Crucible server is started with the user "UserA", we need to use the credential for the user "UserA" for the repository setting in FishEye/Crucible. If FishEye/Crucible is started by "UserA" and then we try to use "UserB" credential in the repository, it will have authentication error.

Tim Davis added a comment - 18/Feb/2014 8:49 AM

We're evaluating FishEye and we had to enable "basic auth" in VisualSVN aswell. This resolved the problem.

Tim Davis added a comment - 18/Feb/2014 8:49 AM We're evaluating FishEye and we had to enable "basic auth" in VisualSVN aswell. This resolved the problem.

Assignee:: Nate Hansberry

Reporter:: Lukasz Pater

Affected customers:: 16 This affects my team

Watchers:: 27 Start watching this issue

Created:: 20/Sep/2013 8:33 AM

Updated:: 28/Jan/2025 7:26 PM

Resolved:: 15/Sep/2022 8:40 AM

Estimated:

Not Specified

Remaining:

Not Specified

Logged:

0.9h

Details

Description

Attachments

Issue Links

Forms

Activity

Collapse comment: David Mason added a comment - 27/Apr/2021 12:20 PM

Expand comment: David Mason added a comment - 27/Apr/2021 12:20 PM

Collapse comment: Michael Mohr added a comment - 12/Dec/2018 7:44 AM

Expand comment: Michael Mohr added a comment - 12/Dec/2018 7:44 AM

Collapse comment: David.Cecil@drs.com added a comment - 17/May/2017 2:00 PM

Expand comment: David.Cecil@drs.com added a comment - 17/May/2017 2:00 PM

Collapse comment: Chris Watts added a comment - 27/Sep/2016 6:56 AM

Expand comment: Chris Watts added a comment - 27/Sep/2016 6:56 AM

Collapse comment: Nathan Taylor added a comment - 26/Sep/2016 4:08 PM

Expand comment: Nathan Taylor added a comment - 26/Sep/2016 4:08 PM

Collapse comment: Chris Watts added a comment - 20/Sep/2016 10:43 AM

Expand comment: Chris Watts added a comment - 20/Sep/2016 10:43 AM

Collapse comment: dplesa added a comment - 09/Sep/2016 10:12 PM

Expand comment: dplesa added a comment - 09/Sep/2016 10:12 PM

Collapse comment: Foong (Inactive) added a comment - 11/Sep/2014 7:29 AM

Expand comment: Foong (Inactive) added a comment - 11/Sep/2014 7:29 AM

Collapse comment: Foong (Inactive) added a comment - 11/Sep/2014 6:55 AM, Edited by Foong - 11/Sep/2014 7:14 AM

Expand comment: Foong (Inactive) added a comment - 11/Sep/2014 6:55 AM, Edited by Foong - 11/Sep/2014 7:14 AM

Collapse comment: Tim Davis added a comment - 18/Feb/2014 8:49 AM

Expand comment: Tim Davis added a comment - 18/Feb/2014 8:49 AM

People

Dates

Time Tracking