Applies to: VisualSVN Server 5.4 and later
This article describes the advanced settings that are available for authentication methods when using the Windows authentication mode. In VisualSVN Server Manager, you can open these settings by going to the Authentication tab in the VisualSVN Server Properties dialog, and by clicking Advanced in the Authentication methods section.
Advanced settings for Basic authentication
In the Windows authentication mode, Basic authentication is a less secure authentication method compared to the Integrated Windows Authentication. See the Authentication modes comparison table for information about the differences between these two methods of Windows authentication.
If you use VisualSVN Server in an Active Directory environment and use the Windows authentication mode, it is generally recommended that you enable only the Integrated Windows Authentication method and disable the Basic authentication method.
However, there are scenarios described below where enabling the Basic authentication method in this mode may be required. In such a scenario, you may want to reduce the use of Basic authentication to a minimum by applying IP restrictions as described below.
When enabling Basic authentication may be required?
There may be cases where there is a need to enable Basic authentication alongside Integrated Windows Authentication, because you have some users that are not able to use Integrated Windows Authentication. Typically, this includes the following cases:
- a computer that is not joined into your Active Directory domain needs access to the repository.
- you need to provide repository access to a legacy or custom Subversion client that does not support the protocols required for Integrated Windows Authentication.
IP restrictions for Basic authentication
In the Windows authentication mode, the IP restrictions are a way to selectively allow Basic authentication only to specific clients. They are designed for a scenario where:
- You want to force Subversion clients to use Integrated Windows Authentication, which is more secure (prohibiting them from using Basic authentication).
- As an exception, you want to allow certain clients (identified by their IP addresses) to use Basic authentication, which is less secure.
Normally, the authentication method for a client connection is determined as follows: VisualSVN Server advertises all enabled authentication methods, and the client selects one particular method to use.
If you apply IP restrictions, the less secure Basic authentication method is advertised as supported only to a small set of edge-case clients that connect from the IP addresses specified by you. For all the other clients that connect from other IP addresses, VisualSVN Server behaves as though support for Basic authentication is disabled. Due to that, enabling Basic authentication does not downgrade the security for the majority of users.
Options for IP restrictions
If the Basic authentication method is enabled in the Windows authentication mode, you can further adjust this method by selecting one of the following options:
- Allow Basic authentication for all clients - this option does not apply any IP-based restrictions. When Basic authentication is enabled, it is advertised as an available authentication method to any connecting client. This is the default option.
- Allow Basic authentication for specific IP addresses (recommended) - this option restricts Basic authentication to being advertised and available only to connections coming from the IP addresses specified in the Allow List below. If you select this option, you need to use the Allow List below to specify one or more IP addresses from which users are allowed to use the Basic authentication method.
Support for both IPv4 and IPv6 in the Allow List
The Allow List supports IPv4 and IPv6 addresses. You can add one
individual IP address at a time. For IPv6 addresses, both the full (e.g.
fd12:3456:789a:000a:0000:0000:0000:000b
) and the standard
shortened form (e.g. fd12:3456:789a:a::b
) are supported.
The behavior of the Allow List is identical for IPv4 and IPv6 addresses: only the individual specified IP addresses are allowed to use Basic authentication.