Subversion Edge LDAP (require CAC Certificate not Username and Password)

Question

What I've Done:

I've successfully installed and configured Subversion Edge 3.1.2 with LDAP support on a Windows 2008 server. I have configured LDAP users and am able to use LDAP credentials to work on repositories just fine. No issues whatsoever. Works great!

What I Want To Do:

I've been searching for several hours now in hopes to find some information on how to configure Subversion Edge server to require client certificates for user authentication against an LDAP environment. I have not found anything yet that gives me an indication of how to do it. I know there are SVN clients that are capable of prompting for CAC certificates but I cannot figure out how to set my server up to require it.

NOTE: CAC authentication is already setup and working in the windows environment. I have TortoiseSVN client which has CAC support enabled.

Desired Outcome:

When running svn commands that require authentication against my Subversion Edge Server I want it to prompt me for my CAC certificate instead of my Active Directory username and password.

If anyone has any information on this I'd greatly appreciate it.

EDIT: I'm still digging so if I find out anything I'll update this question with what I found. I've made some progress and I believe I've been searching for the wrong information. This apparently is an Apache configuration issue. I added SSLVerifyClient require which I saw in sample Apache configuration to my httpd.conf and now my SVN client prompts me for a certificate file rather than a username and password.

UPDATE 14 SEP 2012

Okay I've got it working somewhat. This isn't a subversion issue as much as it is an Apache configuration issue. I've gone down the road of using the SSPI module and I've got it mostly working the way I want. There are still some issues with Internet Explorer viewing the SSL protected sites for browsing the svn repositories. It will prompt for my CAC certificate just fine and then after that I get a page that says Internet Explorer can't view the website. I've found some information online that may address this but haven't got it to work just yet. Also, I've having some issues now with AnkhSVN Visual Studio plugin not caching the client certificate credentials. I'm being prompted far too many times when I do various SVN related things.

RESOURCES:

http://www.eperezdesigns.com/blog/articles/enable-dod-cac-authentication-on-apache/

Getting Apache configured for DOD CAC (this is mostly working for me, still have Internet Explorer issues with the SSL configuration apparently, however, works fine in Firefox).

http://tortoisesvn.net/docs/release/TortoiseSVN_en/tsvn-serversetup-apache.html

This has various configuration information for configuring Apache so that you can get it to talk to a Windows domain.

Answer 1

If you are having problems using a CAC to access a site with IE, but the site works with the CAC in Firefox, you might be seeing a Microsoft cross-certificate chaining issue.

From DISA's guidance in the FBCA Cross-Certificate Remover Tool User Guide:

The Federal Bridge Certification Authority (FBCA) Cross-Certificate Remover Tool is designed to help DoD organizations address the Microsoft cross-certificate chaining issue. The issue may manifest itself in several ways:

• Users may be unable to access DoD web sites normally accessible using certificates on their Common Access Cards (CACs)
• DoD signed emails in Outlook may appear invalid
• Users may experience extensive delays with Outlook or Internet Explorer during validation
• Users' CAC certificates may appear to chain to a root beyond/other than DoD Root 2
• Users may receive a prompt to install the Common Policy Root Certification Authority (CA) or other roots cross-certified with the Federal Bridge when opening a signed email from a DoD sender whose workstation is misconfigured

Run the FBCA Cross-Certificate Remover Tool to address the error. The user's guide describes some additional steps you might have to take.