Issue #1 new

Doesn't work against IIS with Windows Authentication

Nathan Brown
created an issue

Running the standard hgweb.cgi on Windows 2008 R2 IIS. Have Anonymous Authentication and Windows Authentication enabled.

hg --version
Mercurial Distributed SCM (version 2.4.2+20130203)

When doing a push from Windows 7, the following happens:

>hg push http://hdwdvtss01/hgweb/test/
pushing to http://hdwdvtss01/hgweb/test/
searching for changes
abort: 'http://hdwdvtss01/hgweb/test/' does not appear to be an hg repository:
---%<--- (text/html; charset=us-ascii)
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>Bad Request</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>
<BODY><h2>Bad Request - Invalid Header</h2>
<hr><p>HTTP Error 400. The request has an invalid header name.</p>
</BODY></HTML>

---%<---
!

The following is the TCP Stream captured from Wireshark.

GET /hgweb/test/?cmd=unbundle HTTP/1.1
Host: hdwdvtss01
Accept-Encoding: identity
Authorization: NTLM TlRMTVNTUAABAAAAt7II4gQABAA0AAAADAAMACgAAAAGAbEdAAAAD0hBUEdMVDFDRUIwRUhETUM=
Content-Length: 0
HTTP/1.1 401 Unauthorized
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
WWW-Authenticate: NTLM TlRMTVNTUAACAAAACAAIADgAAAA1goniZUVHO/Uw7MkAAAAAAAAAANwA3ABAAAAABgGxHQAAAA9IAEQATQBDAAIACABIAEQATQBDAAEAFABIAEQAVwBEAFYAVABTAFMAMAAxAAQAMABoAGQAbQBjAC4AaABhAHIAbABlAHkALQBkAGEAdgBpAGQAcwBvAG4ALgBjAG8AbQADAEYASABEAFcARABWAFQAUwBTADAAMQAuAGgAZABtAGMALgBoAGEAcgBsAGUAeQAtAGQAYQB2AGkAZABzAG8AbgAuAGMAbwBtAAUAJgBoAGEAcgBsAGUAeQAtAGQAYQB2AGkAZABzAG8AbgAuAGMAbwBtAAcACACd+USVexvOAQAAAAA=
Date: Thu, 07 Mar 2013 21:34:42 GMT
Content-Length: 341

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>Not Authorized</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>
<BODY><h2>Not Authorized</h2>
<hr><p>HTTP Error 401. The requested resource requires user authentication.</p>
</BODY></HTML>
GET /hgweb/test/?cmd=unbundle HTTP/1.1
Host: hdwdvtss01
Accept-Encoding: identity
Authorization: NTLM TlRMTVNTUAADAAAAGAAYAIYAAABkAWQBngAAAAgACABYAAAADgAOAGAAAAAYABgAbgAAABAAEAACAgAANYKI4gYBsR0AAAAP+JtPfWQcd/OHAk8CqGmdy0gARABNAEMAYgByAG8AdwBuAG4AMQBIAEEAUABHAEwAVAAxAEMARQBCADAARQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACSd/TtCo2G71MzCCN6bFAlAQEAAAAAAACd+USVexvOAcKSyQzk48vJAAAAAAIACABIAEQATQBDAAEAFABIAEQAVwBEAFYAVABTAFMAMAAxAAQAMABoAGQAbQBjAC4AaABhAHIAbABlAHkALQBkAGEAdgBpAGQAcwBvAG4ALgBjAG8AbQADAEYASABEAFcARABWAFQAUwBTADAAMQAuAGgAZABtAGMALgBoAGEAcgBsAGUAeQAtAGQAYQB2AGkAZABzAG8AbgAuAGMAbwBtAAUAJgBoAGEAcgBsAGUAeQAtAGQAYQB2AGkAZABzAG8AbgAuAGMAbwBtAAcACACd+USVexvOAQYABAACAAAACAAwADAAAAAAAAAAAQAAAAAgAACtwNV5QqBnfxPs6n3eYJofulB3xKZXJF7ZCvzrWr6fWAoAEAAAAAAAAAAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAMb9cc4SG75rzZ8S8eJthq0=
Content-Length: 0
Content-length: 334
Accept: application/mercurial-0.1
User-agent: mercurial/proto-1.0
X-hgarg-1: heads=686173686564+32ecd25a36efdfcc0c4c26b9dd6de83f6bb1df9c
Vary: X-HgArg-1
Content-type: application/mercurial-0.1
HTTP/1.1 400 Bad Request
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
Date: Thu, 07 Mar 2013 21:34:42 GMT
Connection: close
Content-Length: 339

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>Bad Request</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>
<BODY><h2>Bad Request - Invalid Header</h2>
<hr><p>HTTP Error 400. The request has an invalid header name.</p>
</BODY></HTML>

Comments (3)

  1. Nathan Brown reporter

    Yes, I already had it working with Anonymous Authentication and Basic Authentication. We are using HTTP so I was trying to move to something that is automatic and doesn't require passing the password over the wire.

    Another thing to note is that I have it setup that cloning/pulling the repositories can be done anonymously, but pushing uses the allow_push = XXXX setting in the hgrc file.

    I also tried to force Kerberos in your script, but that didn't work either.

  2. Jens Teglhus Møller

    It works for me, just setup a Windows 2008 R2, running hgwebdir via ISAPI-WSGI (all 64bit).

    On the client I installed tortoisehg, downloaded the hgssoauthentication plugin and edited .hgrc (added a reference in to the plugin in [extensions] and removed my [auth] settings, nothing more) and it just works.

  3. Log in to comment