Configuring VisualSVN HTTP Service to run under a dedicated user account

By default, system built-in Network Service account is used to run VisualSVN HTTP Service and all the required permissions are assigned to this account automatically during installation. But it is considered a good practice to run VisualSVN HTTP Service under a dedicated user account. This improves isolation of VisualSVN HTTP Service from other services that can be run under Network Service built-in account. This article describes how to configure VisualSVN HTTP Service to run under a dedicated user account.

Perform the following steps to configure VisualSVN HTTP Service to run under a dedicated user account:

  1. Create a dedicated domain account to run VisualSVN HTTP Service.
  2. Grant the created account permissions required to run VisualSVN HTTP Service:
    • Modify permission for the folder where repositories are stored (C:\Repositories by default);
    • Read & Execute permission for VisualSVN Server installation folder (C:\Program Files\VisualSVN Server by default);
    • Read & Execute permission for VisualSVN Server installation folder parent folders (C:\ and C:\Program Files\ folders by default);
    • Read & Execute permission for the folder where SVN server SSL certificates are stored (C:\Program Files\VisualSVN Server\certs by default).

    See KB37 for the full list of required permissions.

  3. Configure VisualSVN HTTP Service to run under the created account:
    1. Open the Services snap-in by clicking Start and selecting Control Panel | Administrative Tools | Services.
    2. Locate and right-click VisualSVN HTTP Service and select Properties.
    3. Select the Log On tab.
    4. Select This account and specify the created account name and password.
    5. Click OK to apply changes.
    6. Restart the service using the Restart command on the service's shortcut menu (or start the service using the Start command if it is stopped).
    7. If required, manually revoke permissions for the repositories folder (C:\Repositories by default) from Network Service account.
  4. Add Service Principal Name (SPN) for the created account on the Active Directory:
    1. Logon to a Domain Controller as a domain administrator or as a user with specific delegated permissions required to modify SPNs. For additional information on permissions required to modify SPNs please read the Setspn Command-Line Reference on Microsoft TechNet.
    2. Start elevated command prompt and enter the following command:
      setspn -a http/hostname.contoso.com CONTOSO\username

      Please note that you have to modify the command according to your configuration. For additional information on setspn command please refer to the Setspn Command-Line Reference on Microsoft TechNet.

    As a result you will add SPN for the dedicated user account and you could succesfully authenticate to VisualSVN Server over Negotiate.

Note
If your repositories are stored remotely on a network share, grant the created account "Modify" NTFS permission and "Read" and "Change" share permissions on the remote storage folder. See KB22 for details on setting VisualSVN Server to store repositories remotely.
Last Modified: