TFS Build Agent Can't Connect to Package Feed - tfs

A little info on our setup:
On-Prem TFS 2018 Update 2 (running as domain Service Account A)
Separate Win2k16 VM hosting a build agent (using a domain Service Account B to run the agent)
Package feed hosted inside a collection on TFS
So this has worked for a few months now (the new piece being the package feed for our own-developed NuGet packages). On an MVC project utilizing our build servers, the NuGet Restore task fails when trying to connect to our package feed. On fail, the message is:
http://TFS_URL:8080/tfs/Development/_packaging/CustomNuGetFeed/nuget/v3/index.json: Unable to load the service index for source http://TFS_URL:8080/tfs/Development/_packaging/CustomNuGetFeed/nuget/v3/index.json.
Response status code does not indicate success: 401 (Unauthorized).
That's all the info that the build log spits out; I dove deeper and spun up WireShark and got the following:
Request
GET /tfs/Development/_packaging/CustomNuGetFeed/nuget/v3/index.json HTTP/1.1
user-agent: NuGet Command Line/4.4.1 (Microsoft Windows NT 6.2.9200.0)
X-NuGet-Client-Version: 4.4.1
Accept-Language: en-US
Accept-Encoding: gzip, deflate
Authorization: Basic <base64_token>
Host: tfs:8080
Response
HTTP/1.1 401 Unauthorized
Content-Type: text/html
Server: Microsoft-IIS/8.5
X-TFS-ProcessId: d9a45aba-cc82-4f2c-98a3-e4441bfa456f
ActivityId: e780f2d6-1216-46ac-8c66-cb89379c7811
X-TFS-Session: e780f2d6-1216-46ac-8c66-cb89379c7811
X-VSS-E2EID: e780f2d6-1216-46ac-8c66-cb89379c7811
X-FRAME-OPTIONS: SAMEORIGIN
WWW-Authenticate: Bearer
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
WWW-Authenticate: Basic realm="tfs"
X-Powered-By: ASP.NET
P3P: CP="CAO DSP COR ADMa DEV CONo TELo CUR PSA PSD TAI IVDo OUR SAMi BUS DEM NAV STA UNI COM INT PHY ONL FIN PUR LOC CNT"
Lfs-Authenticate: NTLM
X-Content-Type-Options: nosniff
Date: Tue, 16 Oct 2018 19:57:17 GMT
Content-Length: 1293
Response page message
401 - Unauthorized: Access is denied due to invalid credentials.
You do not have permission to view this directory or page using the credentials that you supplied.
However, there's a .NET Core app that still restores packages fine as far as I can tell (unless it's only retrieving the packages from cache).
The credentials for the service account have not changed at all. I've made sure the service accounts have access to the feed, according to these docs: https://learn.microsoft.com/en-us/azure/devops/artifacts/feeds/feed-permissions?view=vsts&tabs=previous-nav
I've also tried disabling Basic Auth in IIS for the TFS site on the TFS server, and enabling Windows auth. Neither of which worked either.
So I'm at a loss at what the issue could be from all that I've tried/looked into.

TL;DR; nuget was too old. Updating it helped.
We had the same problem after setting up a new build agent machine for a TFS 2018 on Windows 2019. However, we did not use wireshark to inspect traffic, so this might be unrelated. Same symptoms though: one solution worked (using paket), the other didn't work (using nuget).
The issue was that the other solution used a nuget (version 2.x) from a committed thirdparty directory. Nuget is designed to use a 'global' nuget from %localappdata%\nuget if available. And that global nuget version didn't exist. Updating nuget as the build agent user fixed the issue, and placed a recent nuget version into %localappdata%:
nuget.exe update -self
I think that the TFS 2018 requires NTLM authentication instead of basic authentication (which still seemed to be supported by TFS 2017). It still strikes me as weird that the installed VS 2017.9.5 didn't update nuget.

Even after upgrading to Azure DevOps Server 2019.0.1, I was still receiving a 401 Unauthorized when attempting to authenticate to a package feed that was hosted in the same collection.
Workaround
The work around I had used was to place the package binaries inside the build server's package cache folder, located here:
C:\Users\.nuget\packages
Working Solution
However a solution has been found with the help of Microsoft's VS Community. An updated cred provider needs to be used with the NuGet Restore task.
Nuget 4.8+ needs to be used for this to work, and then 2 build variables need to be added to the build definition:
NuGet_ForceEnableCredentialProviderV2 = true
NuGet.ForceEnableCredentialProvider = false
According to a Microsoft rep, this will be enabled by default on ADOS 2019.1 update.
You can view the full thread here:
https://developercommunity.visualstudio.com/content/problem/360323/tfs-build-agent-cant-connect-to-package-feed.html

Related

401 Unauthorized out of nowhere with Jenkins and TFS

EDIT 2
Okay, turns out this has nothing to do with TFS or MSBuilder. This is entirely a problem with SonarQube. The SonarQube Service is the one who sends back a 401 (Unauthorized) status not TFS. Since I run 5.4 I have no clue as to how I specify a SonarQube user because in Jenkins both of those fields are greyed out.
I am using Jenkins as a Windows Service and about 2 hours ago the service made a successful build. Now, out of seemingly nowhere, Jenkins keeps reporting 401 (Unauthorized) no matter which build job I try to start.
They all start a SonarQube scanner first
Run MSBuild
In order for SonarQube to read the analysis I have to run a rebuild command
Run the End SonarQube analysis step and it collects the data to put on our SonarQube portal.
What I don't understand is that the last change I made to anything, was to go delete a file from an ASP project and now none of the jobs work, even those that have nothing to do with this ASP project. All the projects are stored on our Team Foundation Server (not locally hosted).
The only thing that really changed was that we wanted the IP of the Jenkins and SonarQube services to be accessible outside of the server they are hosted on so we made two sites on the local IIS and made a DNS to point at those. Reading into the error log I first see status 302 which is a redirection, before I reach 402. When I go to "Configure Jenkins" I am told that my proxy settings failed...or something along those lines.
Any idea what might cause this behaviour?
EDIT
Here is a part of the error log:
INFO: SCM changes detected in CSharp Build Job. Triggering #1
Apr 20, 2016 11:04:08 AM com.microsoft.tfs.core.config.httpclient.DefaultHTTPClientFactory logHTTPClientConfiguration
INFO: HttpClient configured for https://omitted.visualstudio.com/, authenticating as it#omitted.dk
Apr 20, 2016 11:04:10 AM com.microsoft.tfs.core.ws.runtime.client.SOAPService executeSOAPRequestInternal
INFO: SOAP method='GetRegistrationEntries', status=302, content-length=0, server-wait=1164 ms, parse=0 ms, total=1164 ms, throughput=0 B/s, uncompressed
Apr 20, 2016 11:04:11 AM com.microsoft.tfs.core.httpclient.HttpMethodDirector processWWWAuthChallenge
INFO: Failure authenticating with BASIC #omitted.visualstudio.com:443
Apr 20, 2016 11:04:11 AM com.microsoft.tfs.core.ws.runtime.client.SOAPService executeSOAPRequestInternal
INFO: SOAP method='GetRegistrationEntries', status=401, content-length=0, server-wait=578 ms, parse=0 ms, total=578 ms, throughput=0 B/s, uncompressed
Apr 20, 2016 11:04:11 AM com.microsoft.tfs.core.TFSTeamProjectCollection getServerDataProvider
WARNING: Error getting data provider
com.microsoft.tfs.core.exceptions.TFSUnauthorizedException: Access denied connecting to TFS server https://omitted.visualstudio.com/ (authenticating as it#omitted.dk)
Try to change the Server URL from https://omitted.visualstudio.com/ to https://omitted.visualstudio.com/DefaultCollection. And use Personal access tokens or Alternate credentials for User name and password. Check the screenshot below:
Okay, I have found the solution. It's so stupid I can't believe I didn't think of it.
In my SonarQube.Analysis.xml found at
...Jenkins\.jenkins\tools\hudson.plugins.sonar.MsBuildSQRunnerInstallation\MSBuild_2.0\SonarQube.Analysis.xml
I remembered that I had the username and password written and at some point I went and changed that in SonarQube from the default values to something else. That made all the builds break.

Find out what web server a Rails app is working on on the hosting

I'm given access to a Rails application which is hosted on a Linux machine. I need to setup a redirection from www to the root domain and, although it can be done via the application using before_filter or route.rb, it's better to do it via the web server. But I don't know what web server it's working on. It may or may not be nginx - I don't know. This is what I need to find out. How can I do that?
Launch your browser.
Open the developer tools, go to the Network tab
Navigate to the web app.
On the left panel, click on any of the loaded resources.
Select the Headers tab and find the Server header within the Response headers section.
This screenshot was made with Chrome (it's slightly different with Firefox or IE)
You can run the following in command line:
curl -I www.yoururl.com
or
curl -I youripaddress
When I run this for my server I see:
HTTP/1.1 200 OK
Server: nginx
Date: Sat, 27 Dec 2014 02:20:01 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Status: 200 OK
This is a super quick way to find out! :)
Good luck!!

TFS 2010 TF31002: Unable to connect to this Team Foundation Server

i have installed TFS 2010 on WS 2008 R2 more than two years and every things worked fins till i have installed an app on the server which i think it change some seting on IIS/server. and after that i can not access tfs web services even on the TFS server localy!!.
what is the problem.
after that for resolving all security issues I changed TFS applicaion pool's identification to network administrator. tfs account is NT AUTHORITY\NETWORK SERVICE. i can create team project collection from the tfs administration console. i checked network traffic with fiddler for accessing http:///tfs and response was:
HTTP/1.1 404 Not Found
Server: Microsoft-IIS/7.5
Persistent-Auth: true
X-Powered-By: ASP.NET
Date: Tue, 16 Dec 2014 11:49:24 GMT
Content-Length: 0
If you have broken the server by installing something then I would recommend building a new dedicated TFS server.
Option 1) Create a new clean server for TFS. Install SQL and restore all of the databases from your old server. Then install TFS 2013.
Option 2) if you do not have room for a dedicated TFS server you should create a temporary instance to get working and then push all of your data to VSO (http://tfs.visualstudio.com)
If you run TFS locally you should be aware that TFS owned both the server and the database server that it is installed on. It is an application that includes those components.

Dynamic IIS Compression Module and Vary: Accept-Encoding Header is not overwritten

When you enable dynamic content compression on a computer that is running Windows Server 2008, a Vary header is always overwritten as "Accept-Encoding.". You cannot change it by code.
This hotfix http://support.microsoft.com/kb/2877816 resolves the issue for serveral versions but it doesn't apply to Windows Server 2008.
Is there another hotfix for Windows Server 2008?

MVC in IIS do not send scripts to client?

I have setup a MVC website in my own IIS7(Windows 7) but no files under the folder Scripts(that is in the root of website) is found? If I upload the solution to the webhost or runns it in VS mini IIS it works fine?
I have set this in the web.config :
<authorization>
<allow users="*"/>
</authorization>
I have given full access to the entire website folder(with subfolders/subfiles) to the following users : IIS_IUser, NETWOR SERVICES, IUSR.
The site is runned by the 4.0 application pool that runnes by the ApplicationPoolIdentity.
I have tried this url : localhost/Scripts/ but this will only return a 404 error.
When checking the explorer I can see that there is files?
Edit: Images and CSS do work but not Script folder and the content. I have dubblechecked the rights.
Didn't you by accident forget to install the Static feature of IIS? You can enable this when you open Control Panel > Programs > Turn Windows features on or off > Internet Information Services > World Wide Web Services > Common HTTP Features, there make sure the checkbox before Static Content is checked.
Screenshot:
I have got the same issue on a brand new Win 2k8 R2 server running asp.net.
Did you ever solve the problem?
using httpie if found that the headers were different for normal 404 and 404 errors on the Scripts folder:
HTTP/1.1 404 Not found
Content-Length: 0
Date: Wed, 19 Sep 2012 14:27:15 GMT
Server: Microsoft-HTTPAPI/2.0
Version: 11.0.11282.0
as opposed to
HTTP/1.1 404 Not Found
Cache-Control: private
Content-Length: 5222
Content-Type: text/html; charset=utf-8
Date: Wed, 19 Sep 2012 14:21:32 GMT
Server: Microsoft-IIS/7.5
for any other random folder.
Am currently investigating if it is SQL Server Reporting Services that is blocking it. ... appears not
searching on server version brings up QlikView forums ... that is installed on server, so investigating that now ... stopped QlikView and it fixed it.

Resources