Windows Authentication for Subversion

Windows Authentication is a key feature of VisualSVN Server. This feature is designed for Active Directory domain environments and allows users to access VisualSVN Server with their Windows credentials.

VisualSVN Server Manager

VisualSVN Server supports two different authentication methods: Basic authentication and Integrated Windows Authentication. With Basic authentication user's credentials are transmitted to the server in plain text while Integrated Windows Authentication method uses NTLM or Kerberos V5 authentication algorithms.

Overview

Windows Authentication delivers the following benefits:

Simplified management. Your users' Active Directory Domain accounts are reused for VisualSVN Server access control, so there is no need to maintain a separate user list. This also means your standard account policies such as "password complexity" and "password expiration" are inherited for VisualSVN Server access control.

Seamless Active Directory integration. VisualSVN Server is the only Subversion server package that lets you retain your Active Directory groups (e.g. "Developers", "ProjectManagers").

Smoother user experience. Users access VisualSVN Server with their Windows credentials, so no need to remember another username and password.

Read the article KB182: VisualSVN Server authentication modes for a complete overview of the authentication modes available in VisualSVN Server.

Basic authentication

Basic authentication is part of the HTTP 1.0 specification. With Basic Windows Authentication users are requested to re-enter their Windows username and password to the Subversion client. Username and passwords are then transmitted across HTTP(S) protocol in plain text. These credentials are then verified by VisualSVN Server.

Despite its simplicity, Basic windows authentication has obvious limitations:

Security weaknesses. Passwords are transmitted in plain text making them vulnerable if intercepted. Passwords are also cached on disk which provides another opportunity for unwanted access.

Additional authentication step. Despite being authenticated by their Windows user credentials, users must still re-enter their username and password to access VisualSVN Server.

Incompatible with smart cards. Since users are always requested to provide their username and password, Basic authentication method is inherently incompatible with two-factor authentication systems.

When security is important, Basic authentication should be never used across the unsecure HTTP protocol because users' credentials are easy to intercept and access. Basic authentication across an SSL connection provides an adequate level of security so for small business users, Basic authentication combined with SSL is sufficient.

Integrated Windows Authentication

Unlike Basic authentication, Integrated Windows Authentication (formerly known as NTLM authentication) does not prompt users for a username and password. The current Windows user information on the client computer is supplied through a cryptographic exchange involving hashing with the VisualSVN Server. Either NTLM or Kerberos V5 authentication protocols can be used.

Integrated Windows Authentication brings clear benefits:

Optimal security. Authentication is always performed in a secure manner and credentials are never cached on disk.

Single sign-on. Users' Windows credentials are automatically used to access VisualSVN Server, saving them the hassle of additional authentication steps.

Two-factor authentication. Compatibility with two-factor authentication systems (e.g. smart cards) ensures that VisualSVN Server can be easily integrated into a secure enterprise environment.

Integrated Windows Authentication is the best authentication scheme for Active Directory domain environments. Setting up the Integrated Windows Authentication is a matter of minutes. For the instructions, please see the article KB43: How to configure Integrated Windows Authentication in VisualSVN Server.