Thank you Philip, Per your info, I applied subversion 1.8.15 and rebuilt my apache subversion server. I am still seeing the same issue. MSIE browser can navigate repository via kerberos, but Chrome and TSVN will only return credentials for the root of the repo. TSVN does not return credentials for URLS within the repo, as shown below in a comparison between TSVN and MSIE clients.
TSVN (authentication denied): [Fri Dec 18 14:14:59.433207 2015] [ssl:info] [pid 44383] [client 133.4.86.222:55652] AH01964: Connection to child 6 established (server itest04.vexor.com:7100) [Fri Dec 18 14:14:59.433586 2015] [ssl:debug] [pid 44383] ssl_engine_kernel.c(1931): [client 133.4.86.222:55652] AH02043: SSL virtual host for servername itest04.vexor.com found [Fri Dec 18 14:14:59.480634 2015] [ssl:debug] [pid 44383] ssl_engine_kernel.c(1855): [client 133.4.86.222:55652] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) [Fri Dec 18 14:14:59.481564 2015] [ssl:debug] [pid 44383] ssl_engine_kernel.c(238): [client 133.4.86.222:55652] AH02034: Initial (No.1) HTTPS request received for child 6 (server itest04.vexor.com:7100) [Fri Dec 18 14:14:59.481687 2015] [authz_svn:debug] [pid 44383] subversion/mod_authz_svn/mod_authz_svn.c(439): [client 133.4.86.222:55652] Path to authz file is /usr/local/scm/apache2.4.17kerb/conf/accessControl.conf [Fri Dec 18 14:14:59.482223 2015] [authz_core:debug] [pid 44383] mod_authz_core.c(806): [client 133.4.86.222:55652] AH01626: authorization result of Require valid-user : denied (no authenticated user yet) [Fri Dec 18 14:14:59.482242 2015] [authz_core:debug] [pid 44383] mod_authz_core.c(806): [client 133.4.86.222:55652] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet) [Fri Dec 18 14:14:59.482958 2015] [ssl:info] [pid 44383] (70014)End of file found: [client 133.4.86.222:55652] AH01991: SSL input filter read failed. [Fri Dec 18 14:14:59.483000 2015] [ssl:debug] [pid 44383] ssl_engine_io.c(1003): [client 133.4.86.222:55652] AH02001: Connection closed to child 6 with standard shutdown (server itest04.vexor.com:7100) MSIE (authenticates good) [Fri Dec 18 14:20:46.254122 2015] [auth_kerb:debug] [pid 44368] src/mod_auth_kerb.c(1250): [client 133.5.86.222:55666] Acquiring creds for HTTP/itest04.vexor....@campus.vexor.com, referer: https://itest04.vexor.com:7100/cm_repo1/ [Fri Dec 18 14:20:46.257059 2015] [auth_kerb:debug] [pid 44368] src/mod_auth_kerb.c(1395): [client 133.5.86.222:55666] Verifying client data using KRB5 GSS-API , referer: https://itest04.vexor.com:7100/cm_repo1/ [Fri Dec 18 14:20:46.258142 2015] [auth_kerb:debug] [pid 44368] src/mod_auth_kerb.c(1411): [client 133.5.86.222:55666] Client didn't delegate us their credential, referer: https://itest04.vexor.com:7100/cm_repo1/ [Fri Dec 18 14:20:46.258163 2015] [auth_kerb:debug] [pid 44368] src/mod_auth_kerb.c(1430): [client 133.5.86.222:55666] GSS-API token of length 167 bytes will be sent back, referer: https://itest04.vexor.com:7100/cm_repo1/ [Fri Dec 18 14:20:46.258675 2015] [auth_kerb:debug] [pid 44368] src/mod_auth_kerb.c(1544): [client 133.5.86.222:55666] kerb_authenticate_a_name_to_local_name sma...@campus.vexor.com -> smandy, referer: https://itest04.vexor.com:7100/cm_repo1/ [Fri Dec 18 14:20:46.258704 2015] [authz_svn:debug] [pid 44368] subversion/mod_authz_svn/mod_authz_svn.c(439): [client 133.5.86.222:55666] Path to authz file is /usr/local/scm/apache2.4.17kerb/conf/accessControl.conf, referer: https://itest04.vexor.com:7100/cm_repo1/ [Fri Dec 18 14:20:46.259500 2015] [authz_svn:info] [pid 44368] [client 133.5.86.222:55666] Access granted: 'smandy' GET cm_repo1:/testproj, referer: https://itest04.vexor.com:7100/cm_repo1/ [Fri Dec 18 14:20:46.260458 2015] [authz_core:debug] [pid 44368] mod_authz_core.c(806): [client 133.5.86.222:55666] AH01626: authorization result of Require valid-user : denied (no authenticated user yet), referer: https://itest04.vexor.com:7100/cm_repo1/ [Fri Dec 18 14:20:46.260480 2015] [authz_core:debug] [pid 44368] mod_authz_core.c(806): [client 133.5.86.222:55666] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet), referer: https://itest04.vexor.com:7100/cm_repo1/ [Fri Dec 18 14:20:46.260490 2015] [auth_kerb:debug] [pid 44368] src/mod_auth_kerb.c(1638): [client 133.5.86.222:55666] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://itest04.vexor.com:7100/cm_repo1/ [Fri Dec 18 14:20:46.260497 2015] [auth_kerb:debug] [pid 44368] src/mod_auth_kerb.c(1576): [client 133.5.86.222:55666] matched previous auth request, referer: https://itest04.vexor.com:7100/cm_repo1/ [Fri Dec 18 14:20:46.261386 2015] [auth_kerb:debug] [pid 44368] src/mod_auth_kerb.c(1544): [client 133.5.86.222:55666] kerb_authenticate_a_name_to_local_name sma...@campus.vexor.com -> smandy, referer: https://itest04.vexor.com:7100/cm_repo1/ [Fri Dec 18 14:20:46.261414 2015] [authz_svn:debug] [pid 44368] subversion/mod_authz_svn/mod_authz_svn.c(439): [client 133.5.86.222:55666] Path to authz file is /usr/local/scm/apache2.4.17kerb/conf/accessControl.conf, referer: https://itest04.vexor.com:7100/cm_repo1/ [Fri Dec 18 14:20:46.261438 2015] [authz_svn:info] [pid 44368] [client 133.5.86.222:55666] Access granted: 'smandy' GET cm_repo1:/testproj/myfile, referer: https://itest04.vexor.com:7100/cm_repo1/ MY BUILD Fri Dec 18 13:57:33.757795 2015] [ssl:info] [pid 44292] AH01876: mod_ssl/2.4.17 compiled against Server: Apache/2.4.17, Library: OpenSSL/1.0.2a [Fri Dec 18 13:57:33.759275 2015] [mpm_prefork:notice] [pid 44292] AH00163: Apache/2.4.17 (Unix) mod_auth_kerb/5.4 OpenSSL/1.0.2a SVN/1.8.15 configured -- resuming normal operations [Fri Dec 18 13:57:33.759296 2015] [mpm_prefork:info] [pid 44292] AH00164: Server built: Dec 17 2015 14:22:22 On Fri, Dec 18, 2015 at 12:15 PM, Philip Martin <philip.mar...@wandisco.com> wrote: > ken edward <kedward...@gmail.com> writes: > > > I installed > > Subversion 1.8.14 > > Apache 2.4.17 > > mod_auth_kerb-5.4 > > > 133.16.84.222 - - [16/Dec/2015:15:13:21 -0500] "OPTIONS > > /cm_repo1/testprojHTTP/1.1" > > 401 38 > > 1.8.14 has a bug that affects 3rd party authn modules such as > mod_auth_kerb and mod_auth_ldap. This bug causes Apache to return 401 > responses without a WWW-Authenticate header and this means clients do > not attempt to authenticate. 1.8.15 as a fix for this bug. > > -- > Philip Martin > WANdisco >
