Category Archives: VisualSVN

VisualSVN Server upgrade and network file shares

As I have blogged about previously, our source code is our lifeblood.  We continue to rely on the exceptionally stable VisualSVN Server by VisualSVN.  While the server itself has always been reliable, installation and upgrades have proven to be rather challenging.  This has nothing to do with VisualSVN’s implementation, but rather the complexity of our internal network.  In the spirit of saving others time, I am going to review our latest installation experience.

But first, a little about our network….

SVN Network Diagram

Our VisualSVN Server is located on an externally facing edge server which allows access to our SVN server from both sides of the corporate firewall.  The repositories themselves are stored on a NAS file server which is located internal to our network and provides a high level of security and recoverability.  From a security standpoint, the repository’s file share is locked down to a dedicated SVN active directory account as well as the customary administrative accounts.

Now on with the story:  Upgrading to VisualSVN Server 2.1.1

Our first attempt to install using the default upgrade settings failed with the following error:
Custom action ConfigureSecurityExecute failed: Cannot retrieve security information for ‘\Our NAS storage path’: Access is denied. (0x80070005)

The installer promptly rolled back.  At least we know the installer works smoothly!  After a little bit of digging, it appears the installer is attempting to modify the security settings on the repository files.  This failed because we have explicitly disallowed modifications unless you are the SVN domain account or an administrator… the installer was neither!

Ignore the network share during installation.  This is accomplished by changing the Repositories: path in the custom setup wizard to a local path such as C:TempSVN. See the image below for the field that needs to be changed.

SVN Installer Setup

That corrected the installer error issue and we are now upgraded to 2.1.1.  But, we are not done just yet.  There are a couple of more steps we have to complete before the developers can access the updated server.

Network Configuration Steps
We have to perform two additional steps:

  1. Reconfigure the service to logon as the active directory domain account
    This is required to allow the service to access the file share on the NAS
  2. Reconfigure SVN from our temporary local path from FIX#1 to the actual network path on the NAS

For step #1 above:  Open services from administrative tools, right click to show properties for VisualSVN Server, and change the LogOn information to your SVN specific domain account credentials.

Step #2 requires you to launch the VisualSVN Server Manager and display the server properties.  On the General tab, set your Repositories Root to your file share path and uncheck the Automatically adjust permissions check box.  See the image below for the fields that need to be changed.

SVN Server Manager Changes

We restarted the VisualSVN Server and immediately received an error:
Cannot start VisualSVN Server.  Service returned specific error 0x1

Helpful (NOT!).  Reviewing the VisualSVN Server error log revealed two separate errors

Syntax error in httpd.conf line 103
Unable to open C:Program Files (x86)VisualSVN Servercertsserver.pem.  The file does not exist or is empty.

Line 103 of the httpd.conf file was nothing more than the path to the certificate file certs/server.pem.  A quick check of the file proved it not only existed, but it had a valid certificate.  Wanna bet we have a security error?

Set the security on the certificates directory to include the active domain account the service logs on as.  Basically, the account we used in the Network Configuration sets for the VisualSVN Server needs to have modify rights on C:Program Files (x86)VisualSVN Servercerts

We restarted the SVN server and all was well in the world once again.
(I’m hungry, lunch time!)

VisualSVN Server and UNC based file shares

At AIS, our source code is our lifeblood (we are a development shop after all).  To maintain our source code repositories, we use VisualSVN as our SVN server due to it simplicity, stability, and integration into Active Directory.

Because our server farm is comprised of edge servers with our file and backup servers nicely tucked in behind those edge servers, we must call upon VisualSVN to access its repository data via a UNC based network share.

So, it came as a  surprise when version 1.7.1 of VisualSVN was released, we were unable to get the service to start.  A quick check of the event viewer showed an error of

VisualSVNServer.exe could not log pid to file C:/FileShare/SVN/

Huh?  That path should be \FileShareSVN

OK… what is up with this.

Well… our memory is what is up.  We forgot a couple of key points:

  1. The service was just reinstalled
    Ah…. it was reinstalled using Network Service as a user.
    Time to change the user to the domain user with the proper rights to the network share.
  2. Verify the httpd.conf file is using *nix notation for the file paths
    \FileShareSVN will appear in the configuration file as //FileShare/SVN/
    If it doesn’t, change it

And suddenly everything works as we are accustom to.


<And there was much rejoicing>

Making VisualSVN PCI compliant

One of AIS’s customers is currently performing PCI Compliance Audits.  One of the core tenants of PCI compliance is the hardening of all external facing corporate e-assets.

During the course of the auditing, the SVN port was noted as a security risk (I.E. the port failed the audit due to weak encryption).  While the practice of an external facing SVN port in a PCI compliant organization is a point of debate, this customer had legitimate corporate need to continue supporting the SVN environment.

Kudos for the solution do not fall to AIS as the solution was divined by the customer’s internal PCI guru.  In the interest of knowledge sharing, the customer has granted AIS the right to publish the solution here.

VisualSVN Server is a very robust, easy to administer, and easier to install SVN server based on the Apache server.  While making an Apache install PCI compliant is a well documented process, translating those steps to VisualSVN server proved to be a little more difficult.


  • Disable TraceRoute
  • Enable SSL3 and TSL1
  • Disable weak encryption


  1. Locate the configuration directory (Conf) located in the VisualSVN server install directory
  2. Add the following lines into the httpd-customer.conf file

TraceEnable off
SSLProtocol -ALL +SSLv3 +TLSv1