[cvsnt] problem with domain users and impersonation

Rolf Wilms rwilms at csc.com
Thu Jul 3 20:03:17 BST 2003

Community technical support mailing list was retired 2010 and replaced with a professional technical support team. For assistance please contact: Pre-sales Technical support via email to sales@march-hare.com.

On a domain controller, you may specify that a user may
 a) log on on all computers in the domain or
 b) specify a list of up to eight computers the user may log on to

If option b) is used and the CVSNT server is not on the list of these eight
computers, CVSNT does not allow this user to login. The message is:

 C:\>cvs -d :pserver:dseTest at\cvsntroot login
 Logging in to :pserver:dseTest at\cvsntroot
 CVS password: *******
 cvs [login aborted]: authorization failed: server rejected access
to d:\cvsntroot for user dseTest

If option a) is used and the CVSNT server is on the list of these eight
computers, there is no problem. However in this case the user may login to
the server's terminal, which is not wanted.

The problem also applies to SSPI, not only pserver.

We've found ways around this, i.e. using local users instead of domain users
(double admin work) or revoking the right to log in on the server locally
(but the CVSNT server still blocks one of these eight valuable slots).

As far as I've seen, CVSNT uses the Windows functions LookupAccountName and
LogonUser. I've written a small test program which uses these functions to
check for which users they work. LookupAccountName works in any case
(options a and b), but LogonUser only for option b). The GetLastError code
then is 1329 (user may not log on to this computer).

An idea now would be the following: instead of using LogonUser for
authentication, use SSPI APIs as described in

However I'm not sure if this would work. Using the SSPI protocol (from the
client to the CVSNT server) already doesn't work with option b). In this
case, does the server use the SSPI protocol to authenticate the user
(against the domain), or does it also use LogonUser here?

Or any other clue to avoid specifying the CVSNT server on that list of eight


More information about the cvsnt mailing list
Download the latest CVSNT, TortosieCVS, WinCVS etc. for Windows 8 etc.
@CVSNT on Twitter   CVSNT on Facebook