Our Jenkins is integrated with AD Account.
Not sure any job is using my old credentials , my account is getting locked for every few mins .
I verified logs and all the jobs with my userId , could not find any thing .
Can any one suggest what other things i can check .
Related
I'm following this documentation:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/microsoft-graph-get-started?tabs=app-reg-ga
And I found another question answered that I thought fit my case:
https://learn.microsoft.com/en-us/answers/questions/199433/can39t-add-role-assignments-to-azure-b2c-applicati.html
My problem is that the app that I registered will not appear as an option when I try to follow the "Enable user delete and password update" portion of the documentation.
I am also mindful of the notice "Please allow a few minutes to for the permissions to fully propagate." But I've at it for 2 hours now, so I don't think that is the problem.
Here is my App and its API permissions:
And my B2C Tenant:
Microsoft has answered this question on this thread as follows:
Hi All · Thank you for reaching out.
There seems to be an issue with the UI. I will report the issue to the product team and get it addressed.
However, as of now, you can follow below steps and use PowerShell to add application to the User Administrator role:
Install latest Azure AD PowerShell Module.
Run Connect-AzureAD -TenantId Your_B2CTenant.onmicrosoft.com and sign in with Global Administrator account in that tenant.
Run Get-AzureADDirectoryRole cmd and copy the object id of the User Administrator role.
Navigate to Azure AD > Enterprise Applications > Search the app and copy the object id of the app.
Run Add-AzureADDirectoryRoleMember -ObjectId object_ID_copied_in_Step3 -RefObjectId object_ID_copied_in_Step4 cmdlet.
To verify, navigate to Azure AD B2C > Roles and Administrators > User Administrator. You should see the application present under this role
I try to check code-push.
I use Cordova into a docker machine into a virtual machine, in Windows.
My problem is that when I try to create an account with "code-push register", I get "A browser is being launched to authenticate your account...". This doesn't help me at all because this runs into a docker machine and no browser can start.
What can I do?
It could help me if I could link a Microsoft account.
Thanks in advance
You can use following commands to be able to authenticate against the CodePush service without launching a browser and/or without needing to use your GitHub and/or Microsoft credentials (e.g. in a CI environment),
code-push access-key add "VSTS Integration"
By default, access keys expire in 60 days. You can specify a different expiry duration by using the --ttl option and passing in a human readable duration string (e.g. "2d" => 2 days, "1h 15 min" => 1 hour and 15 minutes). For security, the key will only be shown once on creation, so remember to save it somewhere if needed!
After creating the new key, you can specify its value using the --accessKey flag of the login command, which allows you to perform "headless" authentication, as opposed to launching a browser.
code-push login --accessKey <accessKey>
if at any point you need to change a key's name and/or expiration date, you can use the following command:
code-push access-key patch <accessKeyName> --name "new name" --ttl 10d
I finally did the obvious: installed code-push on Windows, performed 'code-push login'. Then the browser opened and after I inserted microsoft login credentials I got the access token to use into Docker.
Background information
I need our TFS build agents to run under a specific account so that our ClickOnce certificates are authorised.
However if I run under the account X, which also is the user account of the build controller that has the correct certificates. I get the error: "Source is already in use". Even if I restart the service and/or the virtual machine.
Originally rightly/wrongly our build agents were running under the Network Service account, however this account cannot verify the certificates.
Using the Local System account does not give access to the build controller from a developer box.
So I guess my question is: What account should the service 'Visual Studio Team Foundation Build Service Host' run under?
It turned out that the account X was the correct choice (our build controller user account, that has few privileges).
It was that the account needed adding to the builders group TFS Admin.
My personal suggestion would be: a specifically-created, minimum-privelige account that is only authorised as far as is necessary to build the code on your build machines, and no more.
I'm not aware of any restriction around the user for the build agent vs the build controller, though - in fact I'm sure I've used a similar setup before. Is it possible that your error is misleading? Changing users might be a workaround, but perhaps there's something else fixable going on.
Experienced a very strange problem today on our TFS2010 build server. Suddenly the build service failed for no apparent reason. We´re been trouble shooting it all day, but still haven´t found the reason yet.
One of the problems is that the build service is (or should!) running under an AD user called tfs2010build. However when I try to start the service, i get the following error
Service cannot be started. Microsoft.TeamFoundation.TeamFoundationServerUnauthorizedException: TF30063: You are not authorized to access http://tfs2010:8080/tfs/default. ---> System.Net.WebException: The remote server returned an error: (401) Unauthorized.
When I look in the event log on the TFS2010 server, I see that the failed authentication is registered for a user called TFS2010Install, which was used to install everything. I´ve tripple checked and the service is specified as to be running under TFS2010Build.
Log from TFS2010 server:
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: TFS2010INSTALL
Account Domain: LC
So my question is how is this possible. COuld the user TFS2010Build some how be impersonated by TFS2010Install? I
ve tried to install an additional build server and here there´s no problem starting the service under the user TFS2010Build - hence it is not a problem with AD or TFS user rights.
Hope you guys can help out!
/Jasper
!! Updated with some screen shots. Build server is TFS2010BIULD and the TFS server is TFS2010
Link to full size
Screen shot of non working build server TFS2010Build
Screen shot of working build server TFS2010Build1
!!New Update
I've managed to get the Build service to run under the TFS2010Build user account (which was actually the initial state, when the problem started). When I queue builds to this controller and agent, i get the follwing in the build log:
TF215097: An error occurred while initializing a build for build definition \PlanteIT_MarkOnline_Scrum\CI_Main_FieldOnlineClient: TF215106: Access denied. LC\TFS2010INSTALL needs Update build information permissions for build definition CI_Main_FieldOnlineClient in team project PlanteIT_MarkOnline_Scrum to perform the action. For more information, contact the Team Foundation Server administrator.
It still insist that TFS2010Install user account is running the service, despite that TFS2010Build is used for the build service. Any ideas?
This is a stab in the dark, can you try clear the TFS client cache and your internet cache on your troubled build machine under the Tfs2010Build account? I've never seen this issue before but maybe some stale cached TfsProjectCollection object with TFS2010Install authentication stayed around and caused problems.
Have you also tried reconfigure your build machine?
To unconfigure:
tfsconfig.exe setup /uninstall:TeamBuild
and reconfigure through the wizard.
I will try once more ..., step by step :-)
FACT: When you register your build controller to a TFS project collection, being logged-in as TFS2010Build, an authentication dialog pops-up. This means that the TFS server does not accept TFS2010Build as an account that can be used to connect to your default collection on the TFS server.
FACT: When you register your build controller to a TFS project collection, being logged-in as TFS2010Install, no authentication dialog pops-up. This means that the TFS server does accept TFS2010Install as an account that can be used to connect to your default collection on the TFS server.
Apparently, because in both 1 and 2 your build controller is registered using the TFS2010Install account to the TFS server, either the controller or the server remembers these credentials and uses them to connect to the TFS server collection when the build controller is started, despite the fact that the service itself is running under the TFS2010Build account. This is a plausible situation and impersonation happens often this way for services. Maybe some TFS techie can either confirm or deny this behavior.
The question that remains for me: Why does the the default collection on the TFS server not accept the TFS2010Build account as a valid administrator?
Potential causes:
Read Jim Lamb's answer.
Something is wrong with the domain registration of the system or user used to connect the controller to the collection on the TFS server.
Fastest way to rid of the problem: Continue to install the secondary server that does not seem to have the problem, potentially experiment with using the TFS2010Build from this secondary server to see if the problem also occurs there.
A long aswer, but hopefully it gives you a big push in the right direction.
Sorry to hear that you're having problems getting this to work. Here are a couple of things you can check/try:
Make sure that the TFS2010Build user account is a member of the "Build Services" group in the TFS project collection you've associated it with.
If you install and configure the build service while logged in as a user who is a member of the Project Collection Administrators group on the associated project collection and is also a member of the local Administrators group on the build machine, all of the requisite permissions and other configuration will generally be set for you.
So, to summarize, the user configuring the build machine should be a member of the project collection administrators group and a member of the local administrators group. And, the user account the build machine is running as should be a member of the project collection's "build services" group.
I have a desktop application that installs and starts a service. I know a process can get the explorer.exe token and launch another process with that token so as the second process will run us the logged on useraccount.
My question is this: can I start my service by this explorer.exe token too? Is there an example in Delphi?
thx for your time
No, you cannot use such a trick to launch a service in a specific user account. The service's configuration in the SCM specifies the user account that the service uses when started. You can use ChangeServiceConfig() to change that account, but be careful because it is a global setting, not a per-start setting.