SVNKit with Negotiate / Kerberos (Integrated Windows Authentication) on Windows computer

Pavel.Lyalyakin · July 23, 2022, 2:37pm

Hello,

What steps are required on Windows domain-joined computer to make SVNKit authenticate over IWA?

I’m trying out jsvn from the latest org.tmatesoft.svn_1.10.7.standalone.zip release on Windows. I want to make it authenticate with VisualSVN Server using Integrated Windows Authentication. But it does not work.

This is a JNA-enabled build of SVNKit, so I’m assuming that IWA should work without any additional actions.

My server has only IWA enabled as authentication method and svn.exe native client works perfectly.

PS C:\svnkit-1.10.7\bin> ./jsvn info https://svn1.wcexample.com
Authentication realm: <https://svn1.wcexample.com:443]>
Password for 'Administrator':

svn: E170001: Negotiate authentication failed: 'No valid credentials provided'

SVNKit should not prompt me for credentials in the first place. It should reuse my account’s credentials automatically and authenticate over Kerberos(Negotiate).

The error in the log is as follows:
[[[
Jul 23, 2022 7:26:05 AM org.tmatesoft.svn.core.internal.util.DefaultSVNDebugLogger log
FINE: NETWORK: No LoginModules configured for com.sun.security.jgss.krb5.initiate
javax.security.auth.login.LoginException: No LoginModules configured for com.sun.security.jgss.krb5.initiate
at java.base/javax.security.auth.login.LoginContext.init(LoginContext.java:261)
at java.base/javax.security.auth.login.LoginContext.(LoginContext.java:412)
at org.tmatesoft.svn.core.internal.io.dav.http.DefaultHTTPNegotiateAuthentication.initializeSubject(DefaultHTTPNegotiateAuthentication.java:135)
at org.tmatesoft.svn.core.internal.io.dav.http.DefaultHTTPNegotiateAuthentication.authenticate(DefaultHTTPNegotiateAuthentication.java:163)
at org.tmatesoft.svn.core.internal.io.dav.http.HTTPConnection.request(HTTPConnection.java:431)
at org.tmatesoft.svn.core.internal.io.dav.http.HTTPConnection.request(HTTPConnection.java:352)
at org.tmatesoft.svn.core.internal.io.dav.http.HTTPConnection.request(HTTPConnection.java:340)
at org.tmatesoft.svn.core.internal.io.dav.DAVConnection.performHttpRequest(DAVConnection.java:914)
at org.tmatesoft.svn.core.internal.io.dav.DAVConnection.exchangeCapabilities(DAVConnection.java:706)
at org.tmatesoft.svn.core.internal.io.dav.DAVConnection.open(DAVConnection.java:114)
at org.tmatesoft.svn.core.internal.io.dav.DAVRepository.openConnection(DAVRepository.java:1048)
at org.tmatesoft.svn.core.internal.io.dav.DAVRepository.getLatestRevision(DAVRepository.java:169)
at org.tmatesoft.svn.core.internal.wc2.ng.SvnNgRepositoryAccess.getRevisionNumber(SvnNgRepositoryAccess.java:119)
at org.tmatesoft.svn.core.internal.wc2.SvnRepositoryAccess.getLocations(SvnRepositoryAccess.java:180)
at org.tmatesoft.svn.core.internal.wc2.ng.SvnNgRepositoryAccess.createRepositoryFor(SvnNgRepositoryAccess.java:43)
at org.tmatesoft.svn.core.internal.wc2.remote.SvnRemoteGetInfo.run(SvnRemoteGetInfo.java:47)
at org.tmatesoft.svn.core.internal.wc2.remote.SvnRemoteGetInfo.run(SvnRemoteGetInfo.java:31)
at org.tmatesoft.svn.core.internal.wc2.SvnOperationRunner.run(SvnOperationRunner.java:21)
at org.tmatesoft.svn.core.wc2.SvnOperationFactory.run(SvnOperationFactory.java:1239)
at org.tmatesoft.svn.core.wc2.SvnOperation.run(SvnOperation.java:294)
at org.tmatesoft.svn.core.wc.SVNWCClient.doInfo(SVNWCClient.java:2346)
at org.tmatesoft.svn.cli.svn.SVNInfoCommand.run(SVNInfoCommand.java:124)
at org.tmatesoft.svn.cli.AbstractSVNCommandEnvironment.run(AbstractSVNCommandEnvironment.java:142)
at org.tmatesoft.svn.cli.AbstractSVNLauncher.run(AbstractSVNLauncher.java:79)
at org.tmatesoft.svn.cli.svn.SVN.main(SVN.java:26)
at org.tmatesoft.svn.cli.SVN.main(SVN.java:22)

Jul 23, 2022 7:26:05 AM org.tmatesoft.svn.core.internal.util.DefaultSVNDebugLogger log
FINE: NETWORK: NEGOTIATE: authenticate: subject:null
Jul 23, 2022 7:26:05 AM org.tmatesoft.svn.core.internal.util.DefaultSVNDebugLogger log
FINE: NETWORK: NEGOTIATE: isStarted: null
Jul 23, 2022 7:26:05 AM org.tmatesoft.svn.core.internal.util.DefaultSVNDebugLogger log
FINE: NETWORK: NEGOTIATE: authenticate action: isStarted: false
Jul 23, 2022 7:26:05 AM org.tmatesoft.svn.core.internal.util.DefaultSVNDebugLogger log
FINE: NETWORK: NEGOTIATE: isStarted: null
Jul 23, 2022 7:26:05 AM org.tmatesoft.svn.core.internal.util.DefaultSVNDebugLogger log
FINE: NETWORK: NEGOTIATE: initialize context, OID: 1.2.840.113554.1.2.2
Jul 23, 2022 7:26:05 AM org.tmatesoft.svn.core.internal.util.DefaultSVNDebugLogger log
FINE: NETWORK: svn: E170001: Negotiate authentication failed: ‘No valid credentials provided’
Jul 23, 2022 7:26:05 AM org.tmatesoft.svn.core.internal.util.DefaultSVNDebugLogger log
FINE: NETWORK: svn: E170001: Negotiate authentication failed: ‘No valid credentials provided’
org.tmatesoft.svn.core.SVNAuthenticationException: svn: E170001: Negotiate authentication failed: ‘No valid credentials provided’
at org.tmatesoft.svn.core.internal.wc.SVNErrorManager.error(SVNErrorManager.java:68)
at org.tmatesoft.svn.core.internal.wc.SVNErrorManager.error(SVNErrorManager.java:57)
at org.tmatesoft.svn.core.internal.io.dav.http.DefaultHTTPNegotiateAuthentication$1.run(DefaultHTTPNegotiateAuthentication.java:175)
at org.tmatesoft.svn.core.internal.io.dav.http.DefaultHTTPNegotiateAuthentication$1.run(DefaultHTTPNegotiateAuthentication.java:166)
at org.tmatesoft.svn.core.internal.io.dav.http.DefaultHTTPNegotiateAuthentication.authenticate(DefaultHTTPNegotiateAuthentication.java:221)
at org.tmatesoft.svn.core.internal.io.dav.http.HTTPConnection.request(HTTPConnection.java:431)
at org.tmatesoft.svn.core.internal.io.dav.http.HTTPConnection.request(HTTPConnection.java:352)
at org.tmatesoft.svn.core.internal.io.dav.http.HTTPConnection.request(HTTPConnection.java:340)
at org.tmatesoft.svn.core.internal.io.dav.DAVConnection.performHttpRequest(DAVConnection.java:914)
at org.tmatesoft.svn.core.internal.io.dav.DAVConnection.exchangeCapabilities(DAVConnection.java:706)
at org.tmatesoft.svn.core.internal.io.dav.DAVConnection.open(DAVConnection.java:114)
at org.tmatesoft.svn.core.internal.io.dav.DAVRepository.openConnection(DAVRepository.java:1048)
at org.tmatesoft.svn.core.internal.io.dav.DAVRepository.getLatestRevision(DAVRepository.java:169)
at org.tmatesoft.svn.core.internal.wc2.ng.SvnNgRepositoryAccess.getRevisionNumber(SvnNgRepositoryAccess.java:119)
at org.tmatesoft.svn.core.internal.wc2.SvnRepositoryAccess.getLocations(SvnRepositoryAccess.java:180)
at org.tmatesoft.svn.core.internal.wc2.ng.SvnNgRepositoryAccess.createRepositoryFor(SvnNgRepositoryAccess.java:43)
at org.tmatesoft.svn.core.internal.wc2.remote.SvnRemoteGetInfo.run(SvnRemoteGetInfo.java:47)
at org.tmatesoft.svn.core.internal.wc2.remote.SvnRemoteGetInfo.run(SvnRemoteGetInfo.java:31)
at org.tmatesoft.svn.core.internal.wc2.SvnOperationRunner.run(SvnOperationRunner.java:21)
at org.tmatesoft.svn.core.wc2.SvnOperationFactory.run(SvnOperationFactory.java:1239)
at org.tmatesoft.svn.core.wc2.SvnOperation.run(SvnOperation.java:294)
at org.tmatesoft.svn.core.wc.SVNWCClient.doInfo(SVNWCClient.java:2346)
at org.tmatesoft.svn.cli.svn.SVNInfoCommand.run(SVNInfoCommand.java:124)
at org.tmatesoft.svn.cli.AbstractSVNCommandEnvironment.run(AbstractSVNCommandEnvironment.java:142)
at org.tmatesoft.svn.cli.AbstractSVNLauncher.run(AbstractSVNLauncher.java:79)
at org.tmatesoft.svn.cli.svn.SVN.main(SVN.java:26)
at org.tmatesoft.svn.cli.SVN.main(SVN.java:22)

Jul 23, 2022 7:26:05 AM org.tmatesoft.svn.core.internal.util.DefaultSVNDebugLogger log
SEVERE: CLI: svn: E170001: Negotiate authentication failed: ‘No valid credentials provided’
org.tmatesoft.svn.core.SVNException: svn: E170001: Negotiate authentication failed: ‘No valid credentials provided’
at org.tmatesoft.svn.cli.AbstractSVNCommandEnvironment.handleWarning(AbstractSVNCommandEnvironment.java:401)
at org.tmatesoft.svn.cli.svn.SVNInfoCommand.run(SVNInfoCommand.java:131)
at org.tmatesoft.svn.cli.AbstractSVNCommandEnvironment.run(AbstractSVNCommandEnvironment.java:142)
at org.tmatesoft.svn.cli.AbstractSVNLauncher.run(AbstractSVNLauncher.java:79)
at org.tmatesoft.svn.cli.svn.SVN.main(SVN.java:26)
at org.tmatesoft.svn.cli.SVN.main(SVN.java:22)
Caused by: org.tmatesoft.svn.core.SVNAuthenticationException: svn: E170001: Negotiate authentication failed: ‘No valid credentials provided’
at org.tmatesoft.svn.core.internal.wc.SVNErrorManager.error(SVNErrorManager.java:68)
at org.tmatesoft.svn.core.internal.wc.SVNErrorManager.error(SVNErrorManager.java:57)
at org.tmatesoft.svn.core.internal.io.dav.http.DefaultHTTPNegotiateAuthentication$1.run(DefaultHTTPNegotiateAuthentication.java:175)
at org.tmatesoft.svn.core.internal.io.dav.http.DefaultHTTPNegotiateAuthentication$1.run(DefaultHTTPNegotiateAuthentication.java:166)
at org.tmatesoft.svn.core.internal.io.dav.http.DefaultHTTPNegotiateAuthentication.authenticate(DefaultHTTPNegotiateAuthentication.java:221)
at org.tmatesoft.svn.core.internal.io.dav.http.HTTPConnection.request(HTTPConnection.java:431)
at org.tmatesoft.svn.core.internal.io.dav.http.HTTPConnection.request(HTTPConnection.java:352)
at org.tmatesoft.svn.core.internal.io.dav.http.HTTPConnection.request(HTTPConnection.java:340)
at org.tmatesoft.svn.core.internal.io.dav.DAVConnection.performHttpRequest(DAVConnection.java:914)
at org.tmatesoft.svn.core.internal.io.dav.DAVConnection.exchangeCapabilities(DAVConnection.java:706)
at org.tmatesoft.svn.core.internal.io.dav.DAVConnection.open(DAVConnection.java:114)
at org.tmatesoft.svn.core.internal.io.dav.DAVRepository.openConnection(DAVRepository.java:1048)
at org.tmatesoft.svn.core.internal.io.dav.DAVRepository.getLatestRevision(DAVRepository.java:169)
at org.tmatesoft.svn.core.internal.wc2.ng.SvnNgRepositoryAccess.getRevisionNumber(SvnNgRepositoryAccess.java:119)
at org.tmatesoft.svn.core.internal.wc2.SvnRepositoryAccess.getLocations(SvnRepositoryAccess.java:180)
at org.tmatesoft.svn.core.internal.wc2.ng.SvnNgRepositoryAccess.createRepositoryFor(SvnNgRepositoryAccess.java:43)
at org.tmatesoft.svn.core.internal.wc2.remote.SvnRemoteGetInfo.run(SvnRemoteGetInfo.java:47)
at org.tmatesoft.svn.core.internal.wc2.remote.SvnRemoteGetInfo.run(SvnRemoteGetInfo.java:31)
at org.tmatesoft.svn.core.internal.wc2.SvnOperationRunner.run(SvnOperationRunner.java:21)
at org.tmatesoft.svn.core.wc2.SvnOperationFactory.run(SvnOperationFactory.java:1239)
at org.tmatesoft.svn.core.wc2.SvnOperation.run(SvnOperation.java:294)
at org.tmatesoft.svn.core.wc.SVNWCClient.doInfo(SVNWCClient.java:2346)
at org.tmatesoft.svn.cli.svn.SVNInfoCommand.run(SVNInfoCommand.java:124)
… 4 more
]]]

I would greatly appreciate some guidance on this topic.

Thank you in advance!

PS My main goal is to make Subversion plug-in for Jenkins (SVNKit-based) to use IWA correctly. But I think that if I can make jsvn authenticate over IWA I will also find how to solve this problem in Jenkins. Jenkins SVN plug-in has a page with instructions Jenkins : Subversion Plugin HTTPS Kerberos authentication but I don’t think that these instructions are correct.

Pavel.Lyalyakin · July 23, 2022, 3:25pm

I made some progress right after posting my question. This post helped me: Java 7, JAAS and Kerberos Single Sign-on vs. newer Windows Systems – info.michael-simons.eu.

Here is what I did:

Added -Djava.security.auth.login.config="C:\MyTestConfig\MyAuth.conf" to jsvn.bat.
Created "C:\MyTestConfig\MyAuth.conf" with the following content:

com.sun.security.jgss.krb5.initiate {
     com.sun.security.auth.module.Krb5LoginModule required
     renewTGT=true
     doNotPrompt=true
     refreshKrb5Config=true
     useTicketCache=true
     debug=true
     ;
};

Added the following customization into Windows Registry:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters
Value Name: allowtgtsessionkey
Value Type: REG_DWORD
Value: 0x01

It still did not work with the error. But I was logged on as a domain admin on the client computer. I logged on as a regular user and now it works.

PS C:\svnkit-1.10.7\bin> .\jsvn info url
Debug is true storeKey false useTicketCache true useKeyTab false doNotPrompt true ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is true principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Refreshing Kerberos configuration
Acquire TGT from Cache
Principal is myuser@WCEXAMPLE.COM
Commit Succeeded

Path: tortoisesvn
URL: url
Relative URL: ^/
Repository Root: url
Repository UUID: 3313e9ec-a0ff-7d43-b846-2f41dc5c0441
Revision: 29428
Node Kind: directory
Last Changed Author: stefankueng
Last Changed Rev: 29428
Last Changed Date: 2022-06-27 10:33:39 -0700 (Mon, 27 Jun 2022)

However, I still sporadically receive the following error. I’m not sure if its relevant to the authentication configuration.

svn: E175002: Software caused connection abort: socket write error
svn: E175002: OPTIONS request failed on '/svn/hello'

I think that I’m on the right path anyway and my next step is to try similar configuration with Jenkins Subversion plug-in.

Consider this solved, but I’d still appreciate some hints or comments on the original issue and the error “E175002: Software caused connection abort: socket write error”. As you’ve already noticed, I’m not a Java expert, so any advice would be greatly appreciated. :)

dmitry.pavlenko · July 25, 2022, 10:37am

About “E175002: Software caused connection abort: socket write error”: I see such an error for the first time. Do you know something special about your setup that could interfere network operations (antiviral software, firewall, etc.)? Or is it possible that you have unstable network connection?

Do you have an opportunity to test the same setup in other network conditions? E.g. run ‘jsvn’ on another machine and/or from another network (e.g. another wifi network). This could help us to differentiate between client/server misconfiguration/misbehaviour and network/environment(firewall, antivirus,…) problems.

You could also enable logging in ‘jsvn’ to log network communication and attach the log file. An example of logging.properties can be found in SVNKit repository.