Integrated Windows Authentication does not work over the HTTP protocol

Applies to: Subversion 1.7 and older clients

Subversion 1.7 and older clients by default prohibit to use NTLM/Negotiate authentication when users connect to server over unsecure HTTP protocol. This problem does not affect modern Subversion 1.8 or later clients. This problem is identified by the following message on the client side:

authorization failed: Could not authenticate to server: ignored NTLM challenge

In order to resolve the problem, switch to use the secure HTTPS protocol. To enable HTTPS protocol in the VisualSVN Server, perform following steps:

  1. Start VisualSVN Server Manager.
  2. Open the Properties dialog for the root node.
  3. Switch to the Network tab.
  4. Enable the Use secure connection... check-box.
  5. Click the OK button.

VisualSVN Server service will be restarted and HTTPS protocol will be enabled (while unsecure HTTP protocol will be disabled). Note that by default, secure HTTPS connections will be established using the preconfigured self-signed server certificate. For further details regarding the server certificates please consider the KB34 article.

Enabling Integrated Windows Authentication over the HTTP protocol

To protect from eavesdroppers and man-in-the-middle attacks it's not recommended to use NTLM/Negotiate authentication over the unsecure HTTP protocol. That's why this option is disabled by default.

But if you are forced to use the HTTP protocol, you can manually reconfigure Subversion clients. NTLM/Negotiate authentication over the HTTP protocol can be enabled using the http-auth-types Subversion configuration option. The default value for this option is "http-auth-types = basic". In order to allow NTLM/Negotiate authentication you should change this value to "http-auth-types = basic;negotiate".

Assuming that your VisualSVN Server is accessible at svn.example.com URL, you should add the following settings to the Windows registry: 

[HKEY_CURRENT_USER\Software\Tigris.org\Subversion\servers\groups]
"mainserver"="svn.example.com"

[HKEY_CURRENT_USER\Software\Tigris.org\Subversion\servers\mainserver]
"http-auth-types"="basic;negotiate"

Note that you are requested to apply the above settings for each user. Also you can use the HKEY_LOCAL_MACHINE registry key if would like to configure these settings on a per machine basis. For further details regarding Subversion configuration options consider the Runtime Configuration Area chapter in the Version Control with Subversion book.

Last Modified: