Single Sign-On fails when you run VisualSVN Server under a dedicated user account

Symptoms

While attempting to connect to VisualSVN Server with a Subversion client, a user may receive the following error message:

svn: E120190: Error running context: An error occurred during authentication

The error message in Subversion client is accompanied by the following error event in VisualSVN Server log:

SSPI Challenge failed: The token supplied to the function is invalid

In most cases you may experience the issue if both the following conditions are met:

  • VisualSVN HTTP Service is configured to run under a dedicated user account.
  • Integrated Windows Authentication is enabled.

Note
The behavior will be different if you have Basic authentication and Integrated Windows Authentication both enabled in your VisualSVN Server. The error event mentioned above will be recorded to the VisualSVN Server log and user will be authenticated via Basic authentication method. Depending on particular situation, the user will be prompted for username and password or will be authenticated using credentials that are already cached locally on the client machine.

Technical background

The problem occurs when user authenticates against VisualSVN Server over the Negotiate (SPNEGO) authentication protocol and VisualSVN HTTP Service account doesn't have correctly configured Service Principal Name (SPN). You are required to configure SPN manually if you run VisualSVN HTTP Service under a dedicated user account. For further details about SPNs please consider the Service Principal Names Microsoft TechNet article.

You do not have to configure SPN manually if you run VisualSVN HTTP Service under the built-in Network Service user account (it is a default settings). Network Service account acts as the computer on the network and uses the SPN value that is pre-configured for each computer joined to the domain.

Resolution

Since you run VisualSVN HTTP Service under a dedicated user account, you have to add SPN manually to Active Directory:

  1. Logon to a Domain Controller as a domain administrator or as a user with specific delegated permissions required to modify SPNs. For additional information on permissions required to modify SPNs please read the Setspn Command-Line Reference on Microsoft TechNet.
  2. Start elevated command prompt and enter the following command:
    setspn -a http/hostname.contoso.com CONTOSO\username

    Please note that you have to modify the command according to your configuration. For additional information on setspn command please refer to the Setspn Command-Line Reference on Microsoft TechNet.

These steps will add SPN for the dedicated user account and you could successfully authenticate to VisualSVN Server over Negotiate.

See also

KB24: Configuring VisualSVN HTTP Service to run under a dedicated user account
KB43: How to configure Integrated Windows Authentication in VisualSVN Server

Last Modified: