Applies to: VisualSVN Server 5.0 and later
VisualSVN Server supports Subversion and Windows authentication modes. This article describes VisualSVN Server settings related to the Windows authentication mode. These settings can be found on the Authentication tab in the VisualSVN Server Properties dialog.
To learn more about Subversion and Windows authentication modes and the differences between them, see the KB182: VisualSVN Server authentication modes article. It also provides instructions on how to change the authentication mode.
Authentication methods
Windows authentication mode supports two authentication methods: Basic authentication and Integrated Windows Authentication.
Basic authentication
When the Basic authentication check box is selected, users are prompted to enter their Windows credentials to authenticate to VisualSVN Server. The entered credentials are transmitted over the HTTP(S) protocol to VisualSVN Server. The server then verifies the credentials and decides whether to authenticate the user.
Basic authentication is compatible with all Subversion clients. Despite its simplicity, Basic authentication has obvious limitations such as weak security and no support for single sign-on and two-factor authentication. It is not recommended to use Basic authentication as the only available authentication method on the server.
Integrated Windows Authentication
When the Integrated Windows Authentication check box is selected, users are automatically authenticated using their current Windows credentials. Therefore, users are not requested to enter their username and password. During the authentication process, the client and the server negotiate the use of either Kerberos or NTLM security protocols, with Kerberos being the protocol of choice.
In general, Integrated Windows Authentication is considered the best authentication method for its security and user convenience due to support for single sign-on and two-factor authentication. It is therefore recommended that this method is the only one enabled on the server.
Password guessing attack protection
Available since VisualSVN Server 5.2
Password guessing attack protection is a countermeasure against brute-force and dictionary attacks, which can attempt to discover users' login/authentication credentials for VisualSVN Server by systematically trying out a large number of different username and password combinations. In the Windows authentication mode with enabled Basic authentication, such attacks may eventually discover correct credentials for Windows user accounts (including the server's local Windows accounts and Active Directory accounts in the server's domain).
Block IP addresses after multiple authentication failures
Selecting the Block IP addresses after multiple authentication failures checkbox enables password guessing attack protection. If this checkbox is selected, the server detects if any particular IP addresses send too many authentication requests with invalid login credentials within a short period of time, and temporarily blocks further requests from these offending IP addresses. For more information, see the Further details on the blocking of offending IP addresses section in the article titled KB217: Understanding password guessing attack protection in VisualSVN Server.
Advanced settings for Password guessing attack protection
The Advanced settings provide several adjustable values that fine-tune the protection, such as the maximum allowed number of failed authentication attempts. For details about these settings, see the Advanced settings section in the article titled KB217: Understanding password guessing attack protection in VisualSVN Server.
Save username in UPN format (user@DOMAIN)
When the Save username in UPN format (user@DOMAIN) check box is
selected, the svn:author revision property will contain the username of
the person who created the revision in the User Principal Name (UPN)
format. The username in this format consists of a username itself and a
domain name joined using the @ symbol. For example: john.doe@CONTOSO
When the Save username in UPN format (user@DOMAIN) check box is
cleared, the svn:author revision property will contain the username of
the person who created the revision. For example: john.doe