There are two authentications. One against the NTLM provider and the other one checks against the file.
Just to make sure we're talking about the same thing: doesn't authentication mean to verify the user's identify? This is done by NTLM in my example. The svn-access-file does not contain user/password pairs or any other information suitable to verify a user's identify, it only tells the server which operations on which data are allowed to a particular user whose identity was already verified by another process (i.e., NTLM). So NTLM is responsible for authentication, and the svn-access-file is responsible for authorization. At least this is how I understood the brief introduction in
http://httpd.apache.org/docs/2.4/howto/auth.html.
If you have an test enviroment you can set there the LogLevel to trace6[1]
Thanks for the hint, this revealed some interesting details. With "* = r" in the svn-access-file (i.e., allowing read access to everyone), I can see the line "WWW-Authenticate: NTLM" in the response header sent by the server. However, with "mgrabner = r" (i.e., allowing read access just to myself), the WWW-Authenticate line is missing from the response header, hence the client is not even trying to perform authentication, and the server finally reports an authentication failure.
It seems to me that NTLM authentication and subversion authorization are performed in the wrong order, I don't understand why the svn-access-file is even processed before a user is authenticated (or, as you suggest, both processes are treated as authentication, and the subversion one is arbitrarily chosen as the first one).
if the NTLM doesn't work you may try mod_authnz_ldap. There are some examples over the net[2]
I think the NTLM part is working fine. I repeated the experiment with toggling the NTLMOmitDomain flag, making sure that no cached data are used, and observed in the apache log file that the domain prefix was present or not in the username, depending on the value of NTLMOmitDomain (all with "* = r" in the svn-access-file since otherwise it wouldn't have entered NTLM authentication as stated above).
I'm not sure whether this issue is due to some misconfiguration or a bug in any of the related components. Do you have any ideas?
Thanks & kind regards,
Markus