11

I can remote desktop into a given machine and run svn, without giving authentication information, and it works; my AD authentication allows me access to the repository I want.

I can use Powershell to connect to the machine and execute svn commands, as well. However, when I do, I get "access forbidden". [Environment]::UserName appears with the username I expected (my AD username) when run from the script that's being remotely executed.

What am I missing to make this work?

Some code:

$Session = New-PSSession -ComputerName $computerName;

if (-Not ($Session)) {
    Write-Host "Did not create session!";
    Return;
}

Invoke-Command -Session $Session -FilePath 'switchAllRepositories.ps1' -ArgumentList $branchName;

Remove-PSSession $Session;

and in switchAllRepositories, I have a parameter:

Param(
  [string]$branchURL
)

a series of calls like:

If(Test-Path "C:\webfiles\repositoryname") {
    Write-Host "Switching repositoryname"
    SwitchRepo "repositoryname" ($branchURL) "C:\webfiles\repositoryname";
}

which call:

Function SwitchRepo ($repoName, $branchPath, $workingCopy)
{
    $to = ("https://[url]/svn/" + $repoName + $branchPath);
    Write-Host "to $to";

    #debug
    $user = [Environment]::UserName
    Write-Host "as $user";

    $exe = "C:\Program Files\TortoiseSVN\bin\svn.exe";
    &$exe switch "$to" "$WorkingCopy" --username [redacted] --password [redacted] --no-auth-cache --non-interactive --trust-server-cert

    if ($process.ExitCode -ne 0) {
        #$wshell = New-Object -ComObject Wscript.Shell
        #$wshell.Popup("Error switching " + $repoName,0,"Done",0x1)
        Write-Host "Error detected!"
    }
}

The exact error is:

svn: E175013: Unable to connect to a repository at URL '[snipped]' + CategoryInfo : NotSpecified: (svn: E175013: U...eases/20150620':String) [], RemoteException + FullyQualifiedErrorId : NativeCommandError svn: E175013: Access to '[snipped]' forbidden

Improve this question
9
  • 1
    Depends on how you connect. Commented Jun 11, 2015 at 13:20
  • @MathiasR.Jessen What do you need to know? I'm creating a remote session and invoking a script using the session. Commented Jun 11, 2015 at 15:15
  • Show the part of switchAllRepositories.ps1 where it accepts parameters (when you call it with Invoke-Command you are sending a branch name as an argument), it should be a param block right at the top of the ps1 I think. Commented Jun 16, 2015 at 16:45
  • @briantist er, why? I can verify for a fact that the branch reported in the error exactly matches the branch I passed into the script. Is there something you're getting at? I feel like too much irrelevant code makes a question harder to read. Commented Jun 16, 2015 at 16:47
  • Right now I can't see a full path from the code that uses Invoke-Command to the code that's throwing the error. For example I have no idea if the $branchURL variable corresponds to what you're passing in via $branchName. They are named such that they seem unrelated, but if that's the case, then I don't know where $branchURL's value comes from. Typically on SO, the problem is too little code, not too much. Commented Jun 16, 2015 at 16:51

1 Answer 1

Reset to default
4
+50

It would help to see the code you're using, but if it's what I suspect then you're using PowerShell remoting with either Enter-PSSession or Invoke-Command.

Since those will default to using kerberos authentication, and the SVN server is probably on a 3rd machine, you're likely running into the kerberos double-hop authentication issue.

Simply put, you can't remote into machine B from machine A, then from within that session try to access machine C using the same authentication context.

You may be able to workaround this in a few ways: CredSSP is often brought up in these but I find it's complicated and typically a re-thinking of the workflow turns out better.

So for example, you might be able to explicitly specify credentials for the SVN commands.

Or, you can create your own endpoint on the server that uses a RunAs user. Then all the commands will be from Machine B as a specific user:

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

That looks like exactly what I'm missing :) But why, then, when I tried hardcoding the username and password into my script, did that not work either? Probably something about SVN trying to prefer the kerberos over the provided credentials or some such.
Not sure which lines you want but I edited in some of the code.
Can you post switchAllRepositories.ps1 also? If you RDP into the machine, and then run that ps1 file interactively, does it work? Also, are you certain that the access forbidden error is coming from SVN? Try to post the entire error verbatim if possible.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.