Windows Domain Authentication with SVN and Apache

In Uncategorized by timfanelliLeave a Comment

I just finished setting up domain based authentication on our new SVN server here at work, so I thought I’d post my notes on the process and links to what you’ll need – since I found that the information was pretty disparate.

First a list of what I used, and you’ll need:

  • Subversion – obviously. I used version 1.2.3
  • Apache Web Server – I used version 2.0.55
  • mod_auth_sspi 1.0.3 – This has always been hard to come by and there’s always been various patches of it floating around. This place is a unified attempt to bring all the patches together, and it works very well. Grab the one for the appropriate version of Apache2

I will assume that you’ve already installed both Apache 2.0.55 and SVN 1.2.3. If you haven’t, please do so and then come back — the installation for both of them is very simple and will only take you a few minutes to complete.

Step 1: mod_dav and mod_dav_svn

The first step to accessing SVN via Apache is to set up WebDAV. To do this, copy

C:\Program Files\Subversion\bin\


C:\Program Files\Apache Group\Apache2\modules

Next edit your httpd.conf file, and add the following content:

LoadModule dav_module         	modules/
LoadModule dav_svn_module 	modules/

<Location /svn>
	DAV svn
	SVNParentPath "/path/to/repositories"		

This example uses SVNParentPath to point to the parent folder of multiple SVN repositories. If you set it to C:\repositories, then any directory you create under it, such as C:\repositories\ProjectA, is accessible under the /svn URL, like so: http://localhost/svn/ProjectA. If you only have 1 repository, or do not plan to use multiple repositories, you could use the SVNPath directive instead, and point it directly to your SVN repository. This approach is more flexible though, and allows for expansion without changing your configuration files.

mod_auth_sspi and mod_authz_svn

The next step is to enable domain based authentication and access control to your SVN repositories. Copy:

C:\Program Files\Subversion\bin\


C:\Program Files\Apache Group\Apache2\modules

And edit your http.conf file again to look like this:

LoadModule dav_module 		modules/
LoadModule dav_svn_module 	modules/
LoadModule authz_svn_module 	modules/ 
LoadModule sspi_auth_module 	modules/

>Location /svn<
	DAV svn
	SVNParentPath "D:/Engineering/svn/repos"	

	AuthName "My SVN Server"
	AuthType SSPI
	SSPIAuth On
	SSPIOmitDomain On
	SSPIAuthoritative On

	Require valid-user
	AuthzSVNAccessFile "C:/repositories/svnaccess.txt"	

You can see that we’ve added two modules, and several lines to our Location /svn element. Set the SSPIDomain appropriately for the domain you want to authenticate against. SSPIOmitDomain On allows you to authenticate against the domain without specifying it as an explicit prefix, you can turn that off as you like, but it’s simpler to just leave it on.

We also specify an AuthzSVNAccessFile directive that specifies the file we store our authroization information in, which leads us to:


The AuthzSVNAccessFile specifies a plain text file that identifies which repositories users have access to. It’s simple to set up, here’s an example:


@developers = rw
@managers = r
Bill = rw

Replace repositoryname with the name of your repository, which is a subdirectory under the path you specified in the SVNParentPath directive, and path with the path you’re modifying, such as / for the whole repository, or /branches/Bill for a specific branch. In this example, we’ve given the group developers read write access, the managers group read access, and explicitly given Bill read write access (he’s a manager).


You should now have web-based access to your SVN repository using domain based authentication! It’s a good idea at this point to further protect the repository using an SSL configuration, which I won’t cover here. I have some notes on it for an Apple platform that may be useful here – I’ll cover it explicitly for a Windows installation in another post though, hopefully sometime soon.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.