VisualSVN Server supports Integrated Windows Authentication that natively provides Single Sign-On capabilities in Active Directory environments. Single Sign-On allows web browsers and Subversion clients to authenticate to VisualSVN Server using Active Directory credentials without prompting the user to enter a username and password.
The article provides guidance for resolving an issue where Google Chrome, Microsoft Edge and other Chromium-based web browsers prompt a user for credentials instead of authenticating automatically using Active Directory Single Sign-On.
Besides Chromium-based web browsers, a related problem can occur in other browsers:
- Mozilla Firefox: KB42: Single Sign-On to VisualSVN Server may not work in Mozilla Firefox
- Internet Explorer (deprecated): KB41: Single Sign-On to VisualSVN Server may not work in Internet Explorer
Symptoms
Although Integrated Windows Authentication (Single Sign-On) is enabled in your VisualSVN Server installation, Google Chrome and Microsoft Edge web browsers may prompt for credentials when accessing the server. At the same time, TortoiseSVN and svn.exe clients don't prompt for credentials and authenticate to the server automatically.
Cause
By default, Google Chrome and Microsoft Edge web browsers rely on Windows Security Zones to decide if Active Directory Single Sign-On should be used for a particular site. By default, Single Sign-On is enabled only for sites whose URLs belong to the Local intranet or Trusted sites zones, and is disabled for all other sites.
When the site isn't explicitly assigned to the Local intranet or Trusted sites zones, Windows automatically decides the site's security zone based on its URL or the proxy settings of the client computer. By default, Windows considers the following kinds of URLs to be outside of the Local intranet or Trusted sites zones:
-
URLs with FQDNs (e.g.,
https://svn.example.com/) -
URLs with IP addresses (e.g.,
https://192.168.1.42/)
Therefore, browsers relying on security zones will not use Single Sign-On at such URLs, unless you assign these URLs to the required zone explicitly. For more information, please see Microsoft Learn | Intranet site is identified as an Internet site when you use an FQDN or an IP address.
https://svn/), Windows
automatically puts the site into Local intranet and enables Single Sign-On
for it.
Resolution
To resolve the issue, an Active Directory domain administrator should add the URL of your VisualSVN Server installation to the Local intranet zone with the help of a Site to Zone Assignment List group policy. This resolves the issue for all domain computers in a centralized fashion.
Workaround
As a workaround, end users can update the Local intranet zone manually on their client computers. To make Windows correctly recognize the server's URL as belonging to Local intranet and therefore to make Chrome and Edge automatically supply credentials for Integrated Windows Authentication (Single Sign-On), end users can manually add the URL to the required zone.
Follow these steps on the client computer:
- Open the Start menu.
- Type Internet Options and click Internet Options.
- Click the Security tab.
- Click Local intranet and click Sites.
- Click Advanced.
-
Enter the URL of your server (e.g.,
https://svn.example.com/) into the Add this website to the zone field and click Add.NoteControls in the window are greyed out when the zone assignment is controlled by Group Policy, so the workaround isn't applicable in this case. Please update your Group Policy as suggested in Resolution.
- Click Close and OK.
From now on, Chrome and Edge web browsers running on this client computer should authenticate automatically to your VisualSVN Server installation because its URL is placed into the Local intranet zone.
See also
KB43: How to configure Integrated Windows Authentication in VisualSVN Server
KB41: Single Sign-On to VisualSVN Server may not work in Internet Explorer
KB42: Single Sign-On to VisualSVN Server may not work in Mozilla Firefox