By default, system built-in Network Service account is used to run VisualSVN HTTP Service and all the required permissions are assigned to this account automatically during installation. But it is considered a good practice to run VisualSVN HTTP Service under a dedicated user account. This improves isolation of VisualSVN HTTP Service from other services that can be run under Network Service built-in account. This article describes how to configure VisualSVN HTTP Service to run under a dedicated user account.
Perform the following steps to configure VisualSVN HTTP Service to run under a dedicated user account:
- Create a dedicated account to run VisualSVN HTTP Service. It can be a local or domain account depending on your security model.
- Grant the created account permissions required to run VisualSVN HTTP Service:
- Modify permission for the folder where repositories are stored (C:\Repositories by default);
- Read & Execute permission for VisualSVN Server installation folder (C:\Program Files\VisualSVN Server by default);
- Read & Execute permission for VisualSVN Server installation folder parent folders (C:\ and C:\Program Files\ folders by default);
- Read & Execute permission for the folder where SVN server SSL certificates are stored (C:\Program Files\VisualSVN Server\certs by default).
- Configure VisualSVN HTTP Service to run under the created account:
- Open the Services snap-in by clicking Start and selecting Control Panel | Administrative Tools | Services.
- Locate and right-click VisualSVN HTTP Service and select Properties.
- Select the Log On tab.
- Select This account and specify the created account name and password.
- Click OK to apply changes.
- Restart the service using the Restart command on the service's shortcut menu (or start the service using the Start command if it is stopped).
- If required, manually revoke permissions for the repositories folder (C:\Repositories by default) from Network Service account.
- Add Service Principal Name (SPN) for the created account on the Active Directory:
- Logon to a Domain Controller as a domain administrator or as a user with specific delegated permissions required to modify SPNs. For additional information on permissions required to modify SPNs please read the Setspn Command-Line Reference on Microsoft TechNet.
- Start elevated command prompt and enter the following command:
setspn -a http/hostname.contoso.com CONTOSO\username
Please note that you have to modify the command according to your configuration. For additional information on setspn command please refer to the Setspn Command-Line Reference on Microsoft TechNet.
As a result you will add SPN for the dedicated user account and you could succesfully authenticate to VisualSVN Server over Negotiate.