Understanding advanced settings for Windows authentication methods

Applies to: VisualSVN Server 5.4 and later

This article describes the advanced settings that are available for authentication methods when using the Windows authentication mode. In VisualSVN Server Manager, you can open these settings by going to the Authentication tab in the VisualSVN Server Properties dialog, and by clicking Advanced in the Authentication methods section.

Advanced settings for Basic authentication

In the Windows authentication mode, Basic authentication is a less secure authentication method compared to the Integrated Windows Authentication. See the Authentication modes comparison table for information about the differences between these two methods of Windows authentication.

When enabling Basic authentication may be required?

There may be cases where there is a need to enable Basic authentication alongside Integrated Windows Authentication, because you have some users that are not able to use Integrated Windows Authentication. Typically, this includes the following cases:

• a computer that is not joined into your Active Directory domain needs access to the repository.
• you need to provide repository access to a legacy or custom Subversion client that does not support the protocols required for Integrated Windows Authentication.

IP restrictions for Basic authentication

In the Windows authentication mode, the IP restrictions are a way to selectively allow Basic authentication only to specific clients. They are designed for a scenario where:

• You want to force Subversion clients to use Integrated Windows Authentication, which is more secure (prohibiting them from using Basic authentication).
• As an exception, you want to allow certain clients (identified by their IP addresses) to use Basic authentication, which is less secure.

Normally, the authentication method for a client connection is determined as follows: VisualSVN Server advertises all enabled authentication methods, and the client selects one particular method to use.

If you apply IP restrictions, the less secure Basic authentication method is advertised as supported only to a small set of edge-case clients that connect from the IP addresses specified by you. For all the other clients that connect from other IP addresses, VisualSVN Server behaves as though support for Basic authentication is disabled. Due to that, enabling Basic authentication does not downgrade the security for the majority of users.

Options for IP restrictions

If the Basic authentication method is enabled in the Windows authentication mode, you can further adjust this method by selecting one of the following options:

• Allow Basic authentication for all clients - this option does not apply any IP-based restrictions. When Basic authentication is enabled, it is advertised as an available authentication method to any connecting client. This is the default option.
• Allow Basic authentication for specific IP addresses (recommended) - this option restricts Basic authentication to being advertised and available only to connections coming from the IP addresses specified in the Allow List below. If you select this option, you need to use the Allow List below to specify one or more IP addresses from which users are allowed to use the Basic authentication method.

Support for both IPv4 and IPv6 in the Allow List

The Allow List supports IPv4 and IPv6 addresses. You can add one individual IP address at a time. For IPv6 addresses, both the full (e.g. fd12:3456:789a:000a:0000:0000:0000:000b) and the standard shortened form (e.g. fd12:3456:789a:a::b) are supported.

The behavior of the Allow List is identical for IPv4 and IPv6 addresses: only the individual specified IP addresses are allowed to use Basic authentication.