I can remote desktop into a given machine and run svn, without giving authentication information, and it works; my AD authentication allows me access to the repository I want.
I can use Powershell to connect to the machine and execute svn commands, as well. However, when I do, I get "access forbidden". [Environment]::UserName
appears with the username I expected (my AD username) when run from the script that's being remotely executed.
What am I missing to make this work?
Some code:
$Session = New-PSSession -ComputerName $computerName;
if (-Not ($Session)) {
Write-Host "Did not create session!";
Return;
}
Invoke-Command -Session $Session -FilePath 'switchAllRepositories.ps1' -ArgumentList $branchName;
Remove-PSSession $Session;
and in switchAllRepositories, I have a parameter:
Param(
[string]$branchURL
)
a series of calls like:
If(Test-Path "C:\webfiles\repositoryname") {
Write-Host "Switching repositoryname"
SwitchRepo "repositoryname" ($branchURL) "C:\webfiles\repositoryname";
}
which call:
Function SwitchRepo ($repoName, $branchPath, $workingCopy)
{
$to = ("https://[url]/svn/" + $repoName + $branchPath);
Write-Host "to $to";
#debug
$user = [Environment]::UserName
Write-Host "as $user";
$exe = "C:\Program Files\TortoiseSVN\bin\svn.exe";
&$exe switch "$to" "$WorkingCopy" --username [redacted] --password [redacted] --no-auth-cache --non-interactive --trust-server-cert
if ($process.ExitCode -ne 0) {
#$wshell = New-Object -ComObject Wscript.Shell
#$wshell.Popup("Error switching " + $repoName,0,"Done",0x1)
Write-Host "Error detected!"
}
}
The exact error is:
svn: E175013: Unable to connect to a repository at URL '[snipped]' + CategoryInfo : NotSpecified: (svn: E175013: U...eases/20150620':String) [], RemoteException + FullyQualifiedErrorId : NativeCommandError svn: E175013: Access to '[snipped]' forbidden
It would help to see the code you're using, but if it's what I suspect then you're using PowerShell remoting with either
Enter-PSSession
orInvoke-Command
.Since those will default to using kerberos authentication, and the SVN server is probably on a 3rd machine, you're likely running into the kerberos double-hop authentication issue.
Simply put, you can't remote into machine B from machine A, then from within that session try to access machine C using the same authentication context.
You may be able to workaround this in a few ways: CredSSP is often brought up in these but I find it's complicated and typically a re-thinking of the workflow turns out better.
So for example, you might be able to explicitly specify credentials for the SVN commands.
Or, you can create your own endpoint on the server that uses a RunAs user. Then all the commands will be from Machine B as a specific user: