11

I can remote desktop into a given machine and run svn, without giving authentication information, and it works; my AD authentication allows me access to the repository I want.

I can use Powershell to connect to the machine and execute svn commands, as well. However, when I do, I get "access forbidden". [Environment]::UserName appears with the username I expected (my AD username) when run from the script that's being remotely executed.

What am I missing to make this work?

Some code:

$Session = New-PSSession -ComputerName $computerName;

if (-Not ($Session)) {
    Write-Host "Did not create session!";
    Return;
}

Invoke-Command -Session $Session -FilePath 'switchAllRepositories.ps1' -ArgumentList $branchName;

Remove-PSSession $Session;

and in switchAllRepositories, I have a parameter:

Param(
  [string]$branchURL
)

a series of calls like:

If(Test-Path "C:\webfiles\repositoryname") {
    Write-Host "Switching repositoryname"
    SwitchRepo "repositoryname" ($branchURL) "C:\webfiles\repositoryname";
}

which call:

Function SwitchRepo ($repoName, $branchPath, $workingCopy)
{
    $to = ("https://[url]/svn/" + $repoName + $branchPath);
    Write-Host "to $to";

    #debug
    $user = [Environment]::UserName
    Write-Host "as $user";

    $exe = "C:\Program Files\TortoiseSVN\bin\svn.exe";
    &$exe switch "$to" "$WorkingCopy" --username [redacted] --password [redacted] --no-auth-cache --non-interactive --trust-server-cert

    if ($process.ExitCode -ne 0) {
        #$wshell = New-Object -ComObject Wscript.Shell
        #$wshell.Popup("Error switching " + $repoName,0,"Done",0x1)
        Write-Host "Error detected!"
    }
}

The exact error is:

svn: E175013: Unable to connect to a repository at URL '[snipped]' + CategoryInfo : NotSpecified: (svn: E175013: U...eases/20150620':String) [], RemoteException + FullyQualifiedErrorId : NativeCommandError svn: E175013: Access to '[snipped]' forbidden

Yamikuronue
  • 746
  • 8
  • 37
  • 1
    Depends on how you connect. – Mathias R. Jessen Jun 11 '15 at 13:20
  • @MathiasR.Jessen What do you need to know? I'm creating a remote session and invoking a script using the session. – Yamikuronue Jun 11 '15 at 15:15
  • Show the part of `switchAllRepositories.ps1` where it accepts parameters (when you call it with `Invoke-Command` you are sending a branch name as an argument), it should be a param block right at the top of the ps1 I think. – briantist Jun 16 '15 at 16:45
  • @briantist er, why? I can verify for a fact that the branch reported in the error exactly matches the branch I passed into the script. Is there something you're getting at? I feel like too much irrelevant code makes a question harder to read. – Yamikuronue Jun 16 '15 at 16:47
  • Right now I can't see a full path from the code that uses `Invoke-Command` to the code that's throwing the error. For example I have no idea if the `$branchURL` variable corresponds to what you're passing in via `$branchName`. They are named such that they seem unrelated, but if that's the case, then I don't know where `$branchURL`'s value comes from. Typically on SO, the problem is too little code, not too much. – briantist Jun 16 '15 at 16:51
  • @briantist Well I added the three lines that pass along the parameter. Often on SO I get people demanding more and more code, then quietly vanishing when it turns out I didn't overlook something easy, so I'm kind of gunshy here. Are you seeing anything I can test? – Yamikuronue Jun 16 '15 at 17:07
  • If you RDP into the machine, and then run that ps1 file interactively, does it work? Basically, can you use it directly (without remoting) on the target machine: `switchAllRepositories.ps1 -branchURL actualbranchname` – briantist Jun 16 '15 at 17:08
  • @briantist Yes, it works fine. But I'm using it under my username, which is the same as using it on my local machine as far as authentication goes. It's clearly the double-hop you mentioned that's making it break, but I don't understand why the credentials I'm passing in aren't overriding the kerberos authentication and preventing the double-hop from being an issue. – Yamikuronue Jun 16 '15 at 17:12
  • I'm mostly out of ideas. Perhaps you can check the logs on the svn server to get some more clues? If it's running through apache, then the error logs are probably helpful (if we can see what the server is logging during the failed authentication, we might be able to confirm which credentials it's seeing, or something else we haven't thought of). – briantist Jun 16 '15 at 17:29

1 Answers1

4

It would help to see the code you're using, but if it's what I suspect then you're using PowerShell remoting with either Enter-PSSession or Invoke-Command.

Since those will default to using kerberos authentication, and the SVN server is probably on a 3rd machine, you're likely running into the kerberos double-hop authentication issue.

Simply put, you can't remote into machine B from machine A, then from within that session try to access machine C using the same authentication context.

You may be able to workaround this in a few ways: CredSSP is often brought up in these but I find it's complicated and typically a re-thinking of the workflow turns out better.

So for example, you might be able to explicitly specify credentials for the SVN commands.

Or, you can create your own endpoint on the server that uses a RunAs user. Then all the commands will be from Machine B as a specific user:

Community
  • 1
  • 1
briantist
  • 45,546
  • 6
  • 82
  • 127
  • That looks like exactly what I'm missing :) But why, then, when I tried hardcoding the username and password into my script, did that not work either? Probably something about SVN trying to prefer the kerberos over the provided credentials or some such. – Yamikuronue Jun 16 '15 at 12:01
  • Not sure which lines you want but I edited in some of the code. – Yamikuronue Jun 16 '15 at 16:24
  • Can you post `switchAllRepositories.ps1` also? If you RDP into the machine, and then run that ps1 file interactively, does it work? Also, are you certain that the access forbidden error is coming from SVN? Try to post the entire error verbatim if possible. – briantist Jun 16 '15 at 16:34