Permissions required for the Tentacle Windows Service

By default, the Tentacle Windows Service runs under the Local System context. You can configure Tentacle to run under a different user account by modifying the service properties via the Services MMC snap-in (services.msc).

The account that you use requires, at a minimum:

  • Log on as a service right on the current machine - learn more.
  • Rights to enumerate the Local Machine certificate store.
  • Permissions to load the private key of the Tentacle X.509 certificate from the Local Machine certificate store.
  • Read/Write permissions to the Tentacle “Home directory” that you selected when Tentacle was installed (typically, C:\Octopus).
  • Rights to manage Windows Services (start/stop) - learn more.

Please be aware that to perform automatic Tentacle updates you need an account with extra permissions.

In addition, since you are probably using Tentacle to install software, you’ll need to make sure that the service account has permissions to actually install your software. This totally depends on your applications, but it might mean:

  • Permissions to modify IIS (C:\Windows\system32\inetsrv).
  • Permissions to connect a SQL Server Database.

If you Reinstall a Tentacle using the Tentacle Manager, the Windows Service account will revert to Local System.

Using a Managed Service Account (MSA)

You can run Tentacle using a Managed Service Account (MSA):

  1. Install the Tentacle and make sure it is running correctly using one of the built-in Windows Service accounts or a Custom Account.
  2. Reconfigure the Tentacle Windows Service to use the MSA, either manually using the Service snap-in, or using sc.exe config "OctopusDeploy Tentacle" obj= Domain\Username$.
  3. Restart the Tentacle Windows Service.

Learn about using Managed Service Accounts.

Help us continuously improve

Please let us know if you have any feedback about this page.

Send feedback

Page updated on Sunday, January 1, 2023