Allowing the local aspnet account to excute SharpSvn.CreateRepository

Question

I’ve got an ASP.NET web app which is trying to execute the CreateRepository method within SharpSvn so that new repos can be provisioned through a web interface. Everything runs fine when executing the app from within Visual Studio as it’s running under my own identity which has rights to the VisualSVN server instance running on my local machine. However, if I run the app under IIS on my local XP machine then the asp.net worker process executes under the local aspnet account which I can’t seem to grant the rights to create repositories. No matter how far I expand the rights (even into the local admin or VisualSVN admin groups), SharpSvn continually throws an SvnAuthorizationException and I get a corresponding entry in the security event log under the aspnet account.

Here's what the code is doing:

string repoPath = string.Format("{0}{1}", repoFolderPath, repoName);
using (var svnRepoClient = new SvnRepositoryClient())
{
  svnRepoClient.LoadConfiguration(repoPath);
  svnRepoClient.CreateRepository(repoPath);
}

Which is resulting in this stack trace:

[SvnAuthorizationException: Can't create directory 'E:\Repositories\TestRepoName': Access is denied. ]

[SvnAuthorizationException: Could not create top-level directory]

[SvnAuthorizationException: Repository creation failed]
SharpSvn.SvnClientArgs.HandleResult(SvnClientContext client, SvnException error) +165
SharpSvn.SvnClientArgs.HandleResult(SvnClientContext client, svn_error_t* error) +80
SharpSvn.SvnRepositoryClient.CreateRepository(String repositoryPath, SvnCreateRepositoryArgs args) +828
SharpSvn.SvnRepositoryClient.CreateRepository(String repositoryPath) +53
RepoManager.DataAccess.RepoDataAccess.CreateRepo(String repoName, String projectName, Employee creatorEmployee) +183
RepoManager.Web.Default.SubmitButton_Click(Object sender, EventArgs e) +357
System.Web.UI.WebControls.Button.OnClick(EventArgs e) +111
System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument) +110
System.Web.UI.WebControls.Button.System.Web.UI.IPostBackEventHandler.RaisePostBackEvent(String eventArgument) +10
System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument) +13 System.Web.UI.Page.RaisePostBackEvent(NameValueCollection postData) +36
System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +1565

It looks like an alternative is to configure the web.config to impersonate another account (such as a domain level account) but it seems verbose when all I want to do is to grant the aspnet account the appropriate rights.

Does anyone have any suggestions on how this can be done? What is it about the aspnet account configuration that makes it seemingly impossible to grant these rights to?

I’m not sure if this can be tackled through the app pool identity when this goes onto a production server but it still doesn’t address the problems running locally under IIS.

Answer 1

Did you check the NTFS permissions on the location where you are trying to create the repository?

Depending on your asp.net settings the user that needs create rights there is either the ASP.Net/Network Service account or the logged on user (Anonymous internet user, or the user connected to the site if you use Windows authentication)/

You can force ASP.Net to run as a specific user with the settings in the web.config

Answer 2

You will need to do four things for this to work on Windows running IIS 7.

1. Clear authentication cache in SVN:

Even though SharpSVN doesn't require Tortoise SVN to be installed on the machine, you will need it to clear the authentication cache. Right click any menu in Windows > TortoiseSVN > Settings > Saved Data > click "Clear" for Authentication. If you're using Tortoise SVN on that machine (server), you will need to clear the cache each time you click the "Save Credentials" option, which gets annoying. I generally have a config option on my development machine to hard code the user.

2. Set a custom user account as the application pool identity user.

Administrative Tools > IIS 7 > click application pools > right click appropriate application pool and choose Advanced Settings > set the "Identity" to a user account who can authenticate via Kerberos and NTLM in Active Directory (it depends on the browser and how the browser is establishing authentication tickets)

3. Set the web application to use Windows Authentication:

IIS 7 > click web site > Authentication > Disable all, then Enable "Windows Authentication"

4. Use this code to authenticate.

           client.LoadConfiguration(Path.Combine(Path.GetTempPath(), "Svn"), true);
   
           client.Authentication.Clear();
           client.Authentication.UserNamePasswordHandlers
               += delegate(object obj, SharpSvn.Security.SvnUserNamePasswordEventArgs args)
               {
                   args.UserName = System.Configuration.ConfigurationManager.AppSettings["svn_user"].ToString();
                   args.Password = System.Configuration.ConfigurationManager.AppSettings["svn_pass"].ToString();
               };
   
           client.Authentication.SslServerTrustHandlers +=
           delegate(object sender, SvnSslServerTrustEventArgs e)
           {
               e.AcceptedFailures = e.Failures;
               e.Save = true; // Save acceptance to authentication store
           };