[cvsnt] Re: Protocol :ext: not working

Gill Ernst Ernst.Gill at sat-automation.com
Mon Jul 11 11:27:50 BST 2005


>Tony Hoyle wrote:
>> Gill Ernst wrote:
>> 
>>> The 80090308 return code maps to SEC_E_INVALID_TOKEN, which 
>means that
>>> a security token was found to be improperly formatted.
>>>
>>> But I have no idea why it's working without username,
>>> and NOT working with username (even when I force the domain name).
>>>
>> No idea.. I'd guess some kind of obscure misconfiguration 
>but not idea 
>> what could cause it.. it's the kind of thing to ask a 
>friendly MCSE to 
>> check up on if you know of any.  SSPI without a username just lets 
>> everything default.. it's the same thing that happens when 
>you browse a 
>> network on a domain that you're logged into.
>
>There have been numerous reports from people who have trouble 
>with SSPI 
>when they send the username, but it works as expected as soon as they 
>remove it.  I'd doubt if the problem is 'obscure' on that basis, but 
>certainly easily worked around.  Perhaps something stemming from the 
>issue of only 1 authentication per server allowed from each 
>client or a 
>conflict of the passed username when checking against the default 
>authentication token -- but I'm WAY out of my depth of 
>understanding at 
>this point.

Hi,

After a lot of investigations I found the following:

You will get different reporting for the same authorization error
if you connect to a remote CVSNT server or to a local one.

I could easy reproduce the authorization error if I create a new
repository and try to access it with CVSNT commands.

Sometimes if I restart the CVSNT server, or if something has changed
on the domain controller for maintaining reasons, this authorization
error happens too.

If this authorization error is still present and I try to work
with WinCvs there is a very, very, very big problem.
If I have checkout a module with an username set for the sspi protocol
WinCvs tries to access this module in the background. But on almost all
domain controllers there is set a limit for failed logins...
So my domain controller treats me as a hacker and disables my account
!!!

The same happens for sure if I use a non CVS client with the ext
protocol
(username is required for ext protocol; Eclipse for instance).

I found a solution (at least a workaround) for this problem.

But for WinCvs I have still no solution, because WinCvs is NOT reporting
such errors (and trying, and trying, ...). You could imagine what
happens...

Here are the test on my production server, client anywhere else
---------------------------------------------------------------

C:\>cvs -d :sspi:vie001:/test ls
Listing modules on server

CVSROOT

C:\>cvs -d :sspi:vie_gill at vie001:/test ls
cvs [ls aborted]: authorization failed: server vie001 rejected access to
/test f
or user vie_gill

C:\>cvs -d :ext:test:/test ls
[extnt] connect aborted: server vie001 rejeced access to /test

If I do a login as follow everything is working as expected

C:\>cvs -d :sspi:vie_gill at vie001:/test login
Logging in to :sspi:vie_gill at vie001:2401:/test

Here are the test on my test server, client one the same machine
----------------------------------------------------------------

C:\>cvs -d :sspi:vcl134:/test ls
Listing modules on server

CVSROOT

C:\>cvs -d :sspi:vie_gill at vcl134:/test ls
[80090308] The parameter is incorrect.

C:\>cvs -d :ext:l-test:/test ls
[80090308] The parameter is incorrect.
cvs ls: warning: unrecognized response `' from cvs server
cvs [ls aborted]: end of file from server (consult above messages if
any)

If I do a login as follow everything is working as expected

C:\>cvs -d :sspi:vcl134:/test login
Logging in to :sspi:vie_gill at vcl134:2401:/test

As you could see it makes no difference if I use in the login the
username or not.

Tony, please could you look if there is something CVSNT could do in this
case or
CVSNT could give same meaningful information (like "did you do a login
...").

It would be very nice too if anyone from the WinCvs guys could also have
a
look on this problem.

I found on the Microsoft side a problem description about the error I
got in
my event viewer (security log):

The logon to account: vie_gill
 by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 from workstation: VCL134
 failed. The error code was: 3221225572

	http://support.microsoft.com/default.aspx?scid=kb;en-us;837142

I install the hotfix (Update Rollup 1 for Win2000) but still no change.

	Ernst




More information about the cvsnt mailing list