403 Forbidden error when using SVNKit and NTLM for authentication in Subversion

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Problem

When a domain / NTLM user (DOMAIN\username) is specified for authentication with Subversion, if using the bundled SVNKit library, the following error gets written in atlassian-fisheye.log:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 2017-02-22 13:19:05,937 DEBUG [InitPing3 SVNRepo ] fisheye RepositoryStatus-setMessage - Status change [SVNRepo]: Contacting repository. 2017-02-22 13:19:05,937 INFO [InitPing3 SVNRepo ] fisheye BaseRepositoryScanner-ping - processing repository SVNRepo (SVNRepo) 2017-02-22 13:19:05,937 DEBUG [InitPing3 SVNRepo ] fisheye PartitionedChangeSetPhaseQueues-withRetriableTransaction - Transaction_100000011 depth=0 status=<not running> completed, attempts = 1 2017-02-22 13:19:05,937 INFO [InitPing3 SVNRepo ] fisheye Svn2Scanner-doSlurpTransaction - Starting slurp of SVNRepo (SVNRepo) 2017-02-22 13:19:05,937 DEBUG [InitPing3 SVNRepo ] fisheye SvnRepositoryTester-checkRepoSettings - Checking repository: SVNRepo:http://hostname/SVNRepo/ 2017-02-22 13:19:05,937 DEBUG [SvnExecution1113 SVNRepo ] fisheye SvnTask$1-run - Executing (InitPing3 SVNRepo) svn info -r HEAD http://hostname/SVNRepo/@HEAD 2017-02-22 13:19:05,937 WARN [InitPing3 SVNRepo ] fisheye SvnRepositoryTester-getServerRootURL - Unable to get info for the repository root for SVNRepo com.cenqua.fisheye.rep.RepositoryClientException: java.lang.IllegalStateException: Can't overwrite cause with org.tmatesoft.svn.core.SVNAuthenticationException: svn: E170001: PROPFIND of '/SVNRepo/!svn/bc/5639': 403 Forbidden (http://hostname) at com.cenqua.fisheye.svn.SvnThrottledClient.executeNoThrottle(SvnThrottledClient.java:189) [fisheye.jar:?] at com.cenqua.fisheye.svn.SvnThrottledClient.execute(SvnThrottledClient.java:158) [fisheye.jar:?] at com.cenqua.fisheye.svn.SvnThrottledClient.info(SvnThrottledClient.java:110) [fisheye.jar:?] at com.cenqua.fisheye.svn.SvnRepositoryTester.getServerRootURL(SvnRepositoryTester.java:91) [fisheye.jar:?] at com.cenqua.fisheye.svn.SvnRepositoryTester.checkRepoSettings(SvnRepositoryTester.java:74) [fisheye.jar:?] at com.cenqua.fisheye.svn.SvnRepositoryTester.testConnection(SvnRepositoryTester.java:67) [fisheye.jar:?] at com.atlassian.fisheye.svn.Svn2Scanner.validateRepository(Svn2Scanner.java:133) [fisheye.jar:?] at com.atlassian.fisheye.svn.Svn2Scanner.doSlurpTransaction(Svn2Scanner.java:181) [fisheye.jar:?] at com.cenqua.fisheye.rep.BaseRepositoryScanner.ping(BaseRepositoryScanner.java:73) [fisheye.jar:?] at com.cenqua.fisheye.rep.BaseRepositoryEngine.doSlurp(BaseRepositoryEngine.java:85) [fisheye.jar:?] at com.cenqua.fisheye.rep.RepositoryEngine.slurp(RepositoryEngine.java:419) [fisheye.jar:?] at com.cenqua.fisheye.rep.ping.IndexingPingRequest.doRequest(IndexingPingRequest.java:28) [fisheye.jar:?] at com.cenqua.fisheye.rep.ping.IncrementalPingRequest.doRequest(IncrementalPingRequest.java:30) [fisheye.jar:?] at com.cenqua.fisheye.rep.ping.PingRequest$1.run(PingRequest.java:55) [fisheye.jar:?] at com.cenqua.fisheye.util.NamedExecution.run(NamedExecution.java:27) [fisheye.jar:?] at com.cenqua.fisheye.rep.ping.PingRequest.process(PingRequest.java:52) [fisheye.jar:?] at com.cenqua.fisheye.rep.RepositoryHandle.processPingRequests(RepositoryHandle.java:211) [fisheye.jar:?] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [?:1.8.0_102] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [?:1.8.0_102] at java.lang.Thread.run(Thread.java:745) [?:1.8.0_102] Caused by: java.lang.IllegalStateException: Can't overwrite cause with org.tmatesoft.svn.core.SVNAuthenticationException: svn: E170001: PROPFIND of '/SVNRepo/!svn/bc/5639': 403 Forbidden (http://hostname) at java.lang.Throwable.initCause(Throwable.java:457) [?:1.8.0_102] at org.tmatesoft.svn.core.javahl17.SVNClientImpl.getClientException(SVNClientImpl.java:1536) [svnkit-javahl16-1.9.0-r10609-atlassian-hosted.jar:?] at org.tmatesoft.svn.core.javahl17.SVNClientImpl.info(SVNClientImpl.java:1734) [svnkit-javahl16-1.9.0-r10609-atlassian-hosted.jar:?] at org.tmatesoft.svn.core.javahl17.SVNClientImpl.info2(SVNClientImpl.java:1710) [svnkit-javahl16-1.9.0-r10609-atlassian-hosted.jar:?] at org.apache.subversion.javahl.SVNClient.info2(SVNClient.java:307) [svnkit-javahl16-1.9.0-r10609-atlassian-hosted.jar:?] at com.cenqua.fisheye.svn.SvnThrottledClient$1.call(SvnThrottledClient.java:116) [fisheye.jar:?] at com.cenqua.fisheye.svn.SvnThrottledClient$1.call(SvnThrottledClient.java:111) [fisheye.jar:?] at java.util.concurrent.FutureTask.run(FutureTask.java:266) [?:1.8.0_102] at com.cenqua.fisheye.svn.SvnTask.access$101(SvnTask.java:13) [fisheye.jar:?] at com.cenqua.fisheye.svn.SvnTask$1.run(SvnTask.java:35) [fisheye.jar:?] at com.cenqua.fisheye.util.NamedExecution.run(NamedExecution.java:27) [fisheye.jar:?] at com.cenqua.fisheye.svn.SvnTask.run(SvnTask.java:30) [fisheye.jar:?] ... 3 more Caused by: org.apache.subversion.javahl.ClientException: svn: E170001: PROPFIND of '/SVNRepo/!svn/bc/5639': 403 Forbidden (http://hostname) at org.apache.subversion.javahl.ClientException.fromException(ClientException.java:117) [svnkit-javahl16-1.9.0-r10609-atlassian-hosted.jar:?] at org.tmatesoft.svn.core.javahl17.SVNClientImpl.getClientException(SVNClientImpl.java:1535) [svnkit-javahl16-1.9.0-r10609-atlassian-hosted.jar:?] ... 13 more

If the repository server only offers NTLM authentication, then SVNKit cannot connect reliably.

Cause

According to SVNKit documentation it should work with NTLM, but configuration is needed as mentioned in the JAAS documentation eg. https://docs.oracle.com/javase/8/docs/technotes/guides/security/jaas/JAASRefGuide.html.

FE-4879 - Problems authenticating against NTLM challenge with VisualSVN server is the existing feature request to provide NTLM support for Fisheye.

Resolutions

Preferred - Enable JAAS in Fisheye

Steps to do this can be found here:

Fisheye and NTLM

Switch to Basic Authentication, by following these steps:

  1. Configure repository server to offer both Basic and NTLM authentication (Apache httpd only).

    Use Apache mod_auth_sspi module on the server side, and add the following option to the Subversion repository location:

    1 SSPIOfferBasic On

  2. Force Fisheye to prefer Basic Authentication

    Force Fisheye/SVNKit to prefer basic authentication by adding the following to the FISHEYE_OPTSenvironment variable:

    1 -Dsvnkit.http.methods=Basic,Digest,Negotiate,NTLM

  3. You will then likely have to create a new Subversion user that uses basic authentication, and configure that user in Fisheye.

Updated on April 8, 2025
Platform
Data Center only
Product
Fisheye Data Center
On this pageProblemCauseResolutions

Still need help?

The Atlassian Community is here for you.
Ask the Community