403 Forbidden error when using SVNKit and NTLM for authentication in Subversion

Related content

  • No related content found

Still need help?

The Atlassian Community is here for you.

Ask the community

Problem

When a domain / NTLM user (DOMAIN\username) is specified for authentication with Subversion, if using the bundled SVNKit library, the following error gets written in atlassian-fisheye.log:

2017-02-22 13:19:05,937 DEBUG [InitPing3 SVNRepo ] fisheye RepositoryStatus-setMessage - Status change [SVNRepo]: Contacting repository.
2017-02-22 13:19:05,937 INFO  [InitPing3 SVNRepo ] fisheye BaseRepositoryScanner-ping - processing repository SVNRepo (SVNRepo)
2017-02-22 13:19:05,937 DEBUG [InitPing3 SVNRepo ] fisheye PartitionedChangeSetPhaseQueues-withRetriableTransaction - Transaction_100000011 depth=0 status=<not running> completed, attempts = 1
2017-02-22 13:19:05,937 INFO  [InitPing3 SVNRepo ] fisheye Svn2Scanner-doSlurpTransaction - Starting slurp of SVNRepo (SVNRepo)
2017-02-22 13:19:05,937 DEBUG [InitPing3 SVNRepo ] fisheye SvnRepositoryTester-checkRepoSettings - Checking repository:  SVNRepo:http://hostname/SVNRepo/
2017-02-22 13:19:05,937 DEBUG [SvnExecution1113 SVNRepo ] fisheye SvnTask$1-run - Executing (InitPing3 SVNRepo) svn info -r HEAD http://hostname/SVNRepo/@HEAD
2017-02-22 13:19:05,937 WARN  [InitPing3 SVNRepo ] fisheye SvnRepositoryTester-getServerRootURL - Unable to get info for the repository root for SVNRepo
com.cenqua.fisheye.rep.RepositoryClientException: java.lang.IllegalStateException: Can't overwrite cause with org.tmatesoft.svn.core.SVNAuthenticationException: svn: E170001: PROPFIND of '/SVNRepo/!svn/bc/5639': 403 Forbidden (http://hostname)
	at com.cenqua.fisheye.svn.SvnThrottledClient.executeNoThrottle(SvnThrottledClient.java:189) [fisheye.jar:?]
	at com.cenqua.fisheye.svn.SvnThrottledClient.execute(SvnThrottledClient.java:158) [fisheye.jar:?]
	at com.cenqua.fisheye.svn.SvnThrottledClient.info(SvnThrottledClient.java:110) [fisheye.jar:?]
	at com.cenqua.fisheye.svn.SvnRepositoryTester.getServerRootURL(SvnRepositoryTester.java:91) [fisheye.jar:?]
	at com.cenqua.fisheye.svn.SvnRepositoryTester.checkRepoSettings(SvnRepositoryTester.java:74) [fisheye.jar:?]
	at com.cenqua.fisheye.svn.SvnRepositoryTester.testConnection(SvnRepositoryTester.java:67) [fisheye.jar:?]
	at com.atlassian.fisheye.svn.Svn2Scanner.validateRepository(Svn2Scanner.java:133) [fisheye.jar:?]
	at com.atlassian.fisheye.svn.Svn2Scanner.doSlurpTransaction(Svn2Scanner.java:181) [fisheye.jar:?]
	at com.cenqua.fisheye.rep.BaseRepositoryScanner.ping(BaseRepositoryScanner.java:73) [fisheye.jar:?]
	at com.cenqua.fisheye.rep.BaseRepositoryEngine.doSlurp(BaseRepositoryEngine.java:85) [fisheye.jar:?]
	at com.cenqua.fisheye.rep.RepositoryEngine.slurp(RepositoryEngine.java:419) [fisheye.jar:?]
	at com.cenqua.fisheye.rep.ping.IndexingPingRequest.doRequest(IndexingPingRequest.java:28) [fisheye.jar:?]
	at com.cenqua.fisheye.rep.ping.IncrementalPingRequest.doRequest(IncrementalPingRequest.java:30) [fisheye.jar:?]
	at com.cenqua.fisheye.rep.ping.PingRequest$1.run(PingRequest.java:55) [fisheye.jar:?]
	at com.cenqua.fisheye.util.NamedExecution.run(NamedExecution.java:27) [fisheye.jar:?]
	at com.cenqua.fisheye.rep.ping.PingRequest.process(PingRequest.java:52) [fisheye.jar:?]
	at com.cenqua.fisheye.rep.RepositoryHandle.processPingRequests(RepositoryHandle.java:211) [fisheye.jar:?]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [?:1.8.0_102]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [?:1.8.0_102]
	at java.lang.Thread.run(Thread.java:745) [?:1.8.0_102]
Caused by: java.lang.IllegalStateException: Can't overwrite cause with org.tmatesoft.svn.core.SVNAuthenticationException: svn: E170001: PROPFIND of '/SVNRepo/!svn/bc/5639': 403 Forbidden (http://hostname)
	at java.lang.Throwable.initCause(Throwable.java:457) [?:1.8.0_102]
	at org.tmatesoft.svn.core.javahl17.SVNClientImpl.getClientException(SVNClientImpl.java:1536) [svnkit-javahl16-1.9.0-r10609-atlassian-hosted.jar:?]
	at org.tmatesoft.svn.core.javahl17.SVNClientImpl.info(SVNClientImpl.java:1734) [svnkit-javahl16-1.9.0-r10609-atlassian-hosted.jar:?]
	at org.tmatesoft.svn.core.javahl17.SVNClientImpl.info2(SVNClientImpl.java:1710) [svnkit-javahl16-1.9.0-r10609-atlassian-hosted.jar:?]
	at org.apache.subversion.javahl.SVNClient.info2(SVNClient.java:307) [svnkit-javahl16-1.9.0-r10609-atlassian-hosted.jar:?]
	at com.cenqua.fisheye.svn.SvnThrottledClient$1.call(SvnThrottledClient.java:116) [fisheye.jar:?]
	at com.cenqua.fisheye.svn.SvnThrottledClient$1.call(SvnThrottledClient.java:111) [fisheye.jar:?]
	at java.util.concurrent.FutureTask.run(FutureTask.java:266) [?:1.8.0_102]
	at com.cenqua.fisheye.svn.SvnTask.access$101(SvnTask.java:13) [fisheye.jar:?]
	at com.cenqua.fisheye.svn.SvnTask$1.run(SvnTask.java:35) [fisheye.jar:?]
	at com.cenqua.fisheye.util.NamedExecution.run(NamedExecution.java:27) [fisheye.jar:?]
	at com.cenqua.fisheye.svn.SvnTask.run(SvnTask.java:30) [fisheye.jar:?]
	... 3 more
Caused by: org.apache.subversion.javahl.ClientException: svn: E170001: PROPFIND of '/SVNRepo/!svn/bc/5639': 403 Forbidden (http://hostname)
	at org.apache.subversion.javahl.ClientException.fromException(ClientException.java:117) [svnkit-javahl16-1.9.0-r10609-atlassian-hosted.jar:?]
	at org.tmatesoft.svn.core.javahl17.SVNClientImpl.getClientException(SVNClientImpl.java:1535) [svnkit-javahl16-1.9.0-r10609-atlassian-hosted.jar:?]
	... 13 more

If the repository server only offers NTLM authentication, then SVNKit cannot connect reliably.

Cause

According to SVNKit documentation it should work with NTLM, but configuration is needed as mentioned in the JAAS documentation eg. https://docs.oracle.com/javase/8/docs/technotes/guides/security/jaas/JAASRefGuide.html.

FE-4879 - Getting issue details... STATUS is the existing feature request to provide NTLM support for Fisheye.

Resolutions

Preferred - Enable JAAS in Fisheye

Steps to do this can be found here:

Fisheye and NTLM

Switch to Basic Authentication, by following these steps:

  1. Configure repository server to offer both Basic and NTLM authentication (Apache httpd only).
    Use Apache mod_auth_sspi module on the server side, and add the following option to the Subversion repository location:

    SSPIOfferBasic On

  2. Force Fisheye to prefer Basic Authentication
    Force Fisheye/SVNKit to prefer basic authentication by adding the following to the FISHEYE_OPTS environment variable:

    -Dsvnkit.http.methods=Basic,Digest,Negotiate,NTLM
  3. You will then likely have to create a new Subversion user that uses basic authentication, and configure that user in Fisheye.

Last modified on Dec 12, 2022

Was this helpful?

Yes
No
Provide feedback about this article

Related content

  • No related content found
Powered by Confluence and Scroll Viewport.