Can we use gMSA account in TFS Release pipeline? I am trying to use gMSA account for 'Windows Machine File Copy' task but since I don't have the password for gMSA account, I specify an empty string.
But when I run, I get the following error
[error]Failed to Create PSDrive with Destination: '\Servername\D$\Path', ErrorMessage: 'Access is denied'
Thanks for reaching out. gMSA account, currently not supported in TFS.
However, there has been a related user voice:
Support for Active Directory Group Managed Service Accounts
https://developercommunity.visualstudio.com/idea/365494/support-for-active-directory-group-managed-service.html
You could vote up and track the process, our PM will kindly review any feature request.
If there is not a specific reason you need to run a gMSA account, you could use local system admin account and domain account instead.
Admin Login:
The username of either a domain or a local administrative account on the target host(s).
Formats such as domain\username, username, and machine-name\username
are supported.
UPN formats such as username#domain.com and built-in system accounts
such as NT Authority\System are not supported.
Related
I am running Azure DevOps Server 2019 cu7. When I click on the Access Levels link at the Project Collection level, I get a page not found error for ../_admin/_licenses. I then upgraded my development farm to ADO Server 2020, and still have the same issue.
The app pool accounts are both System and I have added the System account to the iis_iusrs group.
Also, i get a page not found error when trying to hit the/_api/licenses/export api to try to get around the page not found error when using a browser.
It seems that you do not have the permission Edit Instance-level information
Steps:
Open Azure DevOps Server Administration Console->click the option Application Tier->click the button Administer Security->select [Team Foundation]\Team Foundation Valid Users and ensure the permission Edit instance-level information is set the allow. Then we could check the Access Levels page.
Result:
The permission is set to Deny
The permission is set to Allow
I need your help if possible in order to resolve the issue mentioned in message subject. I have a TFS installation in two servers: one for application and another for database both on AD Domain. For security reasons I need to change the domain user account password used for this application (the user account is the AD Domain Administrator).
I changed the password from Windows AD users and computers console and after that when I tried to access to TFS (http://servername:port/tfs) I received the TF246017 error. I restored the old password for the account and TFS started to work again.
I saw that this domain user account figures in TFS Admin console, under application tier and there is an option to upgrade the password of service Account. My questions are if it is necessary to run password upgrade from there in addition to doing it from the administrator of AD users and groups option and if there is/are another option/s that I should take into account to modify the password for this user account.
Thank you in advance for your attention and your help.
Best Regards.
The error info and root cause is very clearly. You need to update the password of your corresponding account.
There are two ways to achieve the account password update:
To use the administration console to change the password
To use the TFSConfig utility to change the password:
To avoid TF246017 Error occur again, I would recommend you use the same user credential for SQL Server and TFS server. Ex: domainname/tfs is local admin to the server, sysadmin in SQL Server DB and also admin user to TFS server.
You could also check the Event log. The Windows Event Log is a good candidate where to look for the potential cause.
You need to use tfsconfig on the app tier server.
Something like tfsconfig accounts /updatepassword /account:[account name] /password:[password] should do the trick.
See also: https://learn.microsoft.com/en-us/vsts/tfs-server/admin/change-service-account-password?view=tfs-2015
Jenkin shows two accounts for the same person, one from Active Directory and one from Team Foundation Server (TFS).
When I checkin code, a build is triggered (in this case Main - Build config) and the changes show user windows live id_steven#example.com with email address Windows Live ID\steven#example.com
When I click Build Now in Jenkins, it shows the changes came from user ssteven with email address Steven#Example.com
How can I link these two accounts since they are both the same person?
It should be possible with the Additional Identities Plugin to merge accounts by matching various properties, e.g. TFS account ID.
However, this may not work in all cases and is generally a long-outstanding issue in Jenkins:
https://issues.jenkins-ci.org/browse/JENKINS-10258
so this is the issue:
I have a TFS 2012 installed on a server A and I want to install a TFS Build Service on server B. The TFS on server A has a DefaultCollection which I want to link it to a Team Build. When I try to configure the build server it shows a failure message: User1 needs "ManageBuildResources" permission set to allowed. User1 is NOT in any group, its a single lonely user, then I ask a coworker about the permissions. Now in the security settings of Team Explorer it shows that User1 has "ManageBuildResources" set to allowed on DefaultCollection. Still, when I try to configure it, it shows again the same failure message.
So I read in the Microsoft website that User1 must be in Project Collection Administrators group in order to configure a build server, do I need to make User1 a member of this group, even if User1 has all the privileges? Because I don't understand why it shows that User1 doesn't have privileges.
Thanks in advance!
Yes, you currently need to make a user part of Project Collection Administrators in order to be able to add a build server to your collection.
I'm using a Ruby gem called Savon to interact with SharePoint 2010's UserProfileService Web Service. I'm getting an error: Attempted to perform an unauthorized operation. I used
client.wsse.credentials "username", "password"
to pass my credentials. Anyone know what permissions are needed to use the UserProfileService web service?
In SP 2007, the username/password you use will need to have the "Manage User Profiles" permission set in the Shared Service Provider (SSP). IN SP 2010, I am not sure what the equivalent is since there is no longer an SSP, but an User Profile Service. I am sure there is something similar.
In Manage service applications in Central Admin, click on the User Profile Service then click Permisions in the ribbon add the user with Full Control permissions