Understanding VisualSVN Server Authentication options

Note
The content of this article is no longer updated. Please read the article KB182: VisualSVN Server authentication modes for up-to-date information.

Authentication is a process by which server verify that someone is who they claim they are. This usually involves a username and a password, but can include any other method of demonstrating identity (such as a smart card or fingerprints).

VisualSVN Server supports Subversion and Windows authentication schemas. Subversion authentication relies on the internal users list maintained by VisualSVN Server while Windows authentication relies on Active Directory credentials.

There are two different authentication methods within Windows authentication scheme: Basic authentication and Integrated Windows Authentication. With Basic authentication method user's credentials are transmitted to the server in plain text while Integrated Windows Authentication method uses NTLM or Kerberos V5 authentication algorithms. Basic and Integrated Windows authentication methods can be combined with each other.

Generally speaking, Integrated Windows Authentication is the best option for enterprise environments based on Windows. You can also use Basic authentication if you are forced to support legacy Subversion clients. Consider Subversion authentication if you do not have Active Directory Domain.

All available authentication options are briefly described below.

Subversion authentication

Subversion authentication relies on the internal users list maintained by the VisualSVN Server. This list does not include Active Directory Domain users, and is specific to the VisualSVN Server instance. Users are created and configured using the VisualSVN Server Manager.

Subversion authentication is the default authentication option for VisualSVN Server. There are the following pros and cons with this option:

Pros:

  • The simplest option to configure. List of all users and groups is maintained within VisualSVN Server. There are no any dependencies on other applications (such as Active Directory Domain Controller, for example).
  • Good isolation. User credentials are dedicated to VisualSVN Server only. So there are fewer risks if credentials are compromised.

Cons:

  • Management overhead. There is an additional management overhead since you are requested to maintain one more list of user credentials (assuming that you already have list of users within your Active Directory Domain).
  • No Single Sign-On. Users will be always requested to enter their user name and password.
  • Passwords are cached on disk. Usernames and passwords are cashed on disk by Subversion clients. Nevertheless that passwords are stored in a relatively safe manner, this can cause significant vulnerability risks.
Warning
Note that with Subversion authentication usernames and passwords are transmitted over the network in a plain text. It's strictly recommended to use secure HTTPS connection to VisualSVN Server if this authentication option is enabled.

Windows Authentication options

Windows Authentication enables users to access VisualSVN Server using their Windows credentials. This authentication option is generally intended to customers who have Active Directory Domain.

There are two different authentication methods available in Windows Authentication:

  • Basic authentication. Users are requested to enter their Windows username and password that are then being verified by VisualSVN Server.
  • Integrated Windows Authentication. Current Windows credentials are automatically used to authenticate users to VisualSVN Server.
Tip
Basic and Integrated Windows Authentication methods can be enabled simultaneously. In this case the Subversion client will choose the most appropriate authentication method.

Pros and cons of Basic and Integrated Windows Authentication methods are briefly described below.

Basic Windows Authentication

Basic authentication is a part of the HTTP 1.0 specification. As it said above, with Basic Windows Authentication users are requested to enter their Windows username and password. This information is then transmitted across HTTP(S) protocol where it is just encoded using Base64 encoding. Then these credentials are being verified by VisualSVN Server.

There are the following pros and cons with this authentication method:

Pros:

  • No management overhead. You are not requested to maintain a separate list of users and groups.
  • Users are not requested to remember additional username and password. They access VisualSVN Server with their Windows credentials.

Cons:

  • Passwords are transmitted in plain text. Thus Basic authentication is inherently insecure unless the secure HTTPS protocol is used.
  • Passwords are cached on disk. Usernames and passwords are cashed on disk by Subversion clients. Nevertheless that passwords are stored in a relatively safe manner, this can cause significant vulnerability risks.
  • No Single Sign-On. Nevertheless the fact that users are authenticated using their Windows credentials, they are still requested to enter their username and password in order to access the VisualSVN Server.
  • No two-factor authentication. Smart card based access control is unavailable with Basic authentication. Users are always authenticated with username and password.
  • Only Active Directory Domain users can access VisualSVN Server. It's impossible to grant access to users that don't have account in the Active Directory Domain (external contractors, for example).
Warning
Note that with Basic authentication usernames and passwords are transmitted over the network in plain text. It's strictly recommended to use secure HTTPS protocol to access VisualSVN Server if Basic authentication is enabled.

Integrated Windows Authentication

When using Integrated Windows Authentication (formerly known as NTLM authentication and Windows NT Challenge/Response authentication), Subversion clients use either NTLM or Kerberos V5 authentication algorithms. The client and server negotiate the Microsoft's Security Support Provider Interface (SSPI).

Integrated Windows Authentication is the best authentication scheme for intranet environments using Windows. There are the following pros and cons with this authentication method:

Pros:

  • The best security. Usernames and passwords are never cached on disk or transmitted in an unsecure manner.
  • No management overhead. You are not requested to maintain a separate list of users and groups.
  • Single Sign-On. The current Windows credentials are automatically used to access VisualSVN Server.
  • Two-factor authentication. Integrated Windows Authentication allows you to use smart card based access control.

Cons:

  • Active Directory Domain is required. Integrated Windows Authentication is quite useless without Active Directory Domain.
  • Only Active Directory Domain users can access VisualSVN Server. It's impossible to grant access to VisualSVN Server to users that don't have account in your Active Directory Domain (external contractors, for example).
  • May not work with legacy Subversion clients. Legacy Subversion clients may be unable to work with Integrated Windows Authentication.
Note
With default settings, Subversion clients prohibit to use Integrated Windows Authentication over insecure HTTP protocol (while allowing it over secure HTTPS protocol). For further details about this issue please consider the KB40 article.
Last Modified: