I'm upgrading our svn server and want to change to windows authentication instead of htpassword files. I've installed the module and can get it running on HTTP or HTTPS.
Accessing the repos, using TortoiseSVN, I have 2 scenarios:
Accessing when SSPI + HTTPS is setup. Login is automatically and works like a charm :)
Accessing when SSPI + HTTP is setup. Login requires me to enter my domain username and password in TortoiseSVN, which is ok, as I can ask TortoiseSVN to remember my credentials.
My questions is:
If I use SSPI + HTTP instead of SSPI + HTTPS are my password and username then encrypted?
The reason I'm asking is that we're on a LAN and will never be able to access from the outside and SSL is kindda overkill as it makes everything rather slow :S. So I would prefer to use HTTP + SSPI.
I searched for my password on the network using WireShark and had no luck, which would mean that the credentials are indeed encrypted :). Could only find a line which I suspect is my user+pass that looked something like this: Authorization: Basic Yh2_3 m%erTo_d4fre
If anyone can clearify this for me or better yet link me to a location which states that passwords ARE encrypted when using SSPI + HTTP, I would be most gratefull :).
Kind regards Garrett
**********************EDIT**********************
It seems i've misunderstod something very important. Please verify wether i'm right :):
Accessing svn when SSPI+HTTP is enabled, it actually means that SSPI is disabled and that i'm using Basic Auth when accessing, as SSPI requires SSL. Which means that my username and password only have the mild Basic Auth encryption, nothing like SSL encryption.
The only place where the SSPI module enters the picture is that it receives the username+pass from Basic Auth and then it uses those to verify the user against the domain (in a secure manner of course ???).
This is what I could deduct when reading the documentation once again. Can anyone verify if I have gotten this right?
Kind regards
Garrett
