Need to determine proper SPN for svn/svnserve authentication via GSSAPI to Win 2008 AD

Question

I am setting up a Windows-based Subversion setup via SVNSERVE under which users authenticate to Active Directory via SASL and the GSSAPI. I know that some providers offer pre-packaged installations of Subversion with integrated AD support out of the box, but those are not an option in my situation.

I'm using Subversion 1.7.4 for Windows, MIT Kerberos V5 (3.2.2) for Windows, and will be accessing the repository from Tortoise SVN clients on Win64 boxes. SVNSERVE is running as a system service under a domain account.

For my repository server, I believe I have all the basic pieces in place (svn, Kerberos, with SVNSERVE deferring to SASL authentication, which is then configured to use GSSAPI for the mechanism). I am now to the point where an attempt to query the repository results in a "Could not negotiate authentication mechanism," which is what I expect at this point because I have not defined the SPN for the repository host to query Kerberos. Network Capture tells me that the spn "svn/*FQDN_of_host_omitted* is not a recognized SPN, which is precisely what I expect at this point...

So, although I know I need an SPN, I need a bit of guidance on getting the proper SPN set, as I cannot do it myself in this test environment (must be requested, so I want to ensure I request the proper combination). My belief is I need the SPN's listed below, but I would greatly appreciate if someone could verify that I'm in the right direction. I'm getting confused regarding whether an SPN is needed purely for the svn service against the host, or for the svn service against the host through a designated account, or both.

So, I believe I may need one or all of the following. Which, if any, are right/wrong?:

#1 SPN for svn service on non-FQDN of host machine:
setspn -F -A svn/*nonFQDN_of_host* *nonFQDN_of_host*

#2 SPN for svn service on FQDN of host machine:
setspn -F -A svn/*FQDN_of_host* *FQDN_of_host*

#3 SPN for svn service from non-FQDN of host through service account:
setspn -F -A svn/*nonFQDN_of_host* *domain\svnhostaccount*

#4 SPN for svn service from FQDN of host through service account:
setspn -F -A svn/*FQDN_of_host* *domain\svnhostacccount*

Thanks in advance for the assistance, and hopefully the question isn't too foolish on its face :)

Answer 1

I was flipping through old questions and stumbled across this one. Answering late because I've only been a member since October 2016. The answer to this one is as follows. Note: Use setspn -S instead of setspn -A, reason being is the "-S" switch looks for duplicates while the older "-A" switch does not. Also, it is generally preferred to tie SPNs to a service account, rather than to a host machine account, when setting new SPNs because that way gives you more flexibility in the event you want to send traffic through a load-balancer; the traffic can get routed to whichever host inside of a pre-determined pool of machines which is available. Whereas SPNs tied to a host machine will only work on the specified host machine. All that being said, you would have wanted to run your setspn commands as below, at the time you asked your question:

#1 SPN for svn service on non-FQDN of host machine:

setspn -F -S svn/*nonFQDN_of_host* *nonFQDN_of_host*

#2 SPN for svn service on FQDN of host machine:

setspn -F -S svn/*FQDN_of_host* *FQDN_of_host*

#3 SPN for svn service from non-FQDN of host through service account:

setspn -F -S svn/*nonFQDN_of_host* *svnhostaccount*

#4 SPN for svn service from FQDN of host through service account:

setspn -F -S svn/*FQDN_of_host* *svnhostacccount*