Subversion with Windows authentication on Server 2003

Subversion is a powerful source code control repository, but getting it to authenticate using Windows users can be a mite tricky...

In this setup the aim is to have an Apache served repository allow author details to be recorded in the subversion repository (predominantly to allow you to find out who to blame) - so the setup will be simply to allow all users read access to the repository and ensure that domain authenticated users only are allowed to write to the repository.

First step is to install the Subversion repository and get it running with Apache; I find the CollabNet package really well put together (v 1.4.6 is what is used in this setup and can be obtained from  The CollabNet install is very simple just be sure to choose Apache, and make sure the repository is working unauthenticated before moving on.

Once its all running you need to download the mod_auth_sspi Apache plug in, there are various builds available, but the one I have found to be reliable is the sourceforge project available from  You need to make sure you use the correct plug in version for the version of Apache, version 1.04 from the drop works with the v1.4.6 CollabNet package.  From the downloaded zip copy the file into the httpd\modules in the CollabNet install directory (default is c:\program files\CollabNet Subversion Server\httpd\modules).  Then you need to edit the httpd.conf file in the CollabNet install directory http\conf (default c:\program files\CollabNet Subversion Server\httpd\conf):


	LoadModule sspi_auth_module modules/

after the load:

	LoadModule auth_module modules/

then add

	LoadModule authz_svn_module modules/


after the load:


	LoadModule dav_svn_module modules/

Finally add

	# authentication	
	AuthName "Subversion Authentication"	
	AuthType SSPI	SSPIAuth On	
	SSPIAuthoritative On	
	SSPIOfferBasic On	
	SSPIOmitDomain On 	
	SSPIUsernameCase upper	
		Require valid-user	

within the <Location> tag at the end of the file following the location defaults

	DAV svn	SVNParentPath C:/svn_repository

The settings are in the main self explanatory, AuthType SSPI is fairly obvious as are SSPIAuth and SSPIAuthoritative (turning it on).  The SSPIDomain define the domain to authenticate against, and must be the full domain name.  The SSPIOfferBasic, SSPIOmitDomain and SSPIUsernameCase settings ensure the user is correctly prompted for authentication when requesting an operation other than the basic read ones listed in LimitExcept. 

There are ways to finely control access rights at all levels of the repository - but frankly I find the simplest configuration of recording the user who made the change rather than locking down easiest to manage in the long run.

After making the config changes restart the Apache server in the services.msc control panel plug in.  If it starts then you have done everything and just need to make sure that authentication details are recorded when you make repository changes (if you are using TortoiseSVN don't try this test using the repository browser to create folders it just doesn't request the authentication!).  If the service doesn't start then you have to start trial and error!  My recommendation would be to add the config items piece by piece in the order listed above checking the Apache logs as you go.  The authentication block is usually the tricky bit, again commenting out the salient bits (like SSPIDomain and LimitExcept) until the service starts.

Once you are at this point you can start additional configuration as required to more finely control access to the repository - however now is when I normally leave it...

Comments are closed