Recently my team upgraded to TFS 2017 from TFS 2012. I am a TFS administrator on the box but when i attempt to install a gallery extension in a specific team project collection i get:
"Access Denied. {user} needs Manage permissions to perform the action.
For more information, contact the Team Foundation Server administrator."
that would be fine, except i am the server administrator...sigh. the steps i have taken so far are:
reapplied my Admin Console User access.
confirmed i am still a member of the "Project Collection Administrators".
made sure i was in the "Project Administrators" groups for all of the collections projects.
made sure i had allow on "edit/view project-level information" for all projects.
compared security rules between other team project collections and the issue collection.
used TFSSecurity to directly set permissions again.
When i found that none of these steps worked i went so far as to ask another admin to remove me and add me back, to no avail. i should also mention, i have the ability to add extensions in other team project collections, just not the main one we use for development.
Any thoughts would be greatly appreciated.
UPDATE:
We found a post about there being a bug in the RTM version of tfs 2017, we were skeptical that is the cause as we had already done the potential workaround without success. We have decided we are going to attempt to install update 1 to see if that resolves the issues. I will update with the result, but that will not happen until the next maint window.
UPDATE 2:
We installed TFS 2017 U2RC2, and it did indeed resolve the issue. I suspect that Update 1 was all the farther that would be needed, but there are a bunch of nice features with U2RC2.
I'm afraid your issue it's possibility not related to that bug in RTM TFS2017. The bug is more related to the security ACEs for collection admins at the team project level and thus, collection admins were unable to access and administer some team project resources.
To narrow down your issue, you could try below ways:
Use another Admin account to install the specific extension
Use your account to add some other extension
If this is a issue only related to your account, there must be something wrong with the security ACES. Double check and compare the different permission settings between your account and other admin's account. Check if you have any related deny permission under the project collection. In TFS deny trumps allow.
Moreover when you do the remove and add back operation , there maybe some identity synchronization problem in TFS. Waiting for sometime, you could try to install the gallery extension again.
Of course, you could also update your TFS server, which may do the trick. Suggest you directly update to TFS2017 update2 RC2, which will be the last “big” feature release for TFS 2017. Release Notes
Related
I upgraded TFS from version 2010 -> TFS 2013 Update 5 -> to TFS 2017.3.1. The migration was successful, without errors.
When we select any work item we get error:
TF400898: An Internal Error Occurred.
{"message":"TF400898: An Internal Error Occurred.","type":"System.NullReferenceException"}
Content?bundle=vss-bundle-basejs-vLDQ_BPnMflh1yV4rhP43SsHlun31XvwYB1svh7haP9E=:5 GET http://servr_name:8080/Colection/sssdddd59ad7c58-da11-49ed-a085-6acc62384a85/_api/_wit/workItemTypes?__v=5&typeNames=FDR&stamp=5-12c3sss1sss162-12c40e0-117e5b3-12c4b45-11884ddddsaf-12c4b4b-1sss2c3166-117e5c2-ffffdddsffff826b3e0c-0-0-stateColors-True 500 (Internal Server Error)
It looks like api can't read domain users who own the work item.
This is not a TFS cache issue because it has been cleared on the client and server.
It depends on the users. eg, TFS administrator does not have such an error, work item opens correctly.
What could be the reason for this error?
Update 2
OP finally re-graduated 2010 to 2017 without the following command and it seems to have helped.
TFSConfig ChangeServerID /SQLInstance:server_db /DatabaseName:TFS_Configuration
First check Event Log in Event Viewer to see whether there is some useful information.
For the migration, make sure there are not any databases left from another TFS instance. Cleaning these up should help.
It depends on the users. eg, TFS administrator does not have such an
error, work item opens correctly.
If this issue depends on users. That may related to permission sync up.
You could try to remove all users out of the project and add them back again. Which may do the trick.
Also double check the permission related settings. Whether they are added under an area with deny permission for security settings. Since in TFS, deny trumps allow.
Update
If the upgrade was successful without any errors. Then this kind of error may related to the configuration.
You could try re-running the configuration wizard for the team project to fix the issue. How to please refer this tutorial: Configure features after an upgrade
I am using TFS 2018 update2, I have been given Project collection administrator level access for a project collection. But when I connect using VS2017 and create a Team project, I am getting TF218027 error. Please, let me know what the solution for this is.
The error message is very clearly, your account need to gain appropriate permission.
You need to set permissions on SQL Server Reporting separately from TFS itself.
TFS, Reporting Services and SharePoint all have independent permissions. The group "Project Collection Administrators" is internal to TFS and thus only gives access to the TFS functions, not the functions it uses on other servers.
The recommended approach is to create groups in AD (eg. "TFS Collection X Admins") in AD; and then use that group to give permissions in each of TFS, SharePoint and Reporting Services.
You could add a 'Content Manager' permissions, detail steps, please take a look at this thread: Error TF218027 when creating a Team Project in TFS 2010
Another way just as jessehouwing suggested in comment, you do not have to create with Report set, if your team actually no need the report feature, you could also disable the report settings, how to check the report configuration, please take a look at this link.
We used TFS Aggregator to automatic update the User Story's state according to its sons state changes and also to automatic Update User Story's state of other project (if they are related).
Also important to mention that we hire an external freelance to help us doing it. When we tested it on his environment - it worked well. But when deploy it in
our environment - there's no change, the new functionality doesn't work.
what you recommend us to check ?
what can be the reasons for this integration problem?
What actions should we take?
Your advises are more than welcome!
First, try to follow the steps of installation on this website to install the plugin: https://github.com/tfsaggregator/tfsaggregator/wiki/Install
If it still doesn't work. Here is the troubleshooting page you can refer to: TFS Aggregator Troubleshooting:
You are using the right version of this server side plugin for the
right server. You can get multiple releases of this plugin at website
https://github.com/tfsaggregator/tfsaggregator
You have updated a work item that triggers a rule. (The TFS
Aggregation only works once a work item that has aggregation rules on
it is updated. This may change in a future version.)
If the rule navigates between work items, work items have a proper
Link (e.g. Parent-Child).
You copied the DLLs and the Policies file to the plugins location on
all TFS Application Tier Servers (Usually at: :\Program
Files\Microsoft Team Foundation Server {version}\Application Tier\Web
Services\bin\Plugins)
You have valid names for source and destination fields in
TFSAggregator2.ServerPlugin.policies.
When you saved the file you saved it as UTF-8 encoding (in Notepad++
it is called “utf-8 without BOM”).
You have given permission to the user running the plugin, e.g. add
the "TFS Service Account" to the Project Collection Administrators
TFS Group.
You may have to do this from the commandline using tfssecurity
/collection:http://server:8080/tfs/DefaultCollection /g+ "Project
Collection administrators" "LOCAL SERVICE" if your service account is
either LocalService, NetworkService or any other Windows Well-known
identity, since they are no longer shown in the permission UI.
When using the Impersonation option, make sure the user executing the
plugin (generally the TFS Service account) has the "Make requests on
behalf of others" permission at the server level
If you upgraded your TFS from 2013.x to 2015.* and from 2015rtm to
2015.1 and did not uninstall the TFS Aggregator before doing this TFS upgrade the aggregator does not work. Remove the TFS Aggregator from
the TFS 2013 Program Files folder or run the uninstall of the TFS
Aggegrator (backup your policies!). Then re-install the TFS
Aggegrator setup or install manually for TFS 2015 as described here.
Every TFS version has its "own" assembly for the aggregator so it is
important to use the right version against the right TFS.
Today we have installed update 3 to our existing TFS 2015.2 server. The offline installation ran for about an hour and completed succesfully. However when trying to reach the portal site, nothing shows up (well a 404 page shows up actually).
When opening the Team Foundation Server Administration Console, it correctly displays the expected product version: 14.102.25423.0 (Tfs2015.Update3). However when I click on 'Application Tier', it displays the text:
This feature has been installed but needs to be configured. Click on
Configure Installed Features to begin initial configuration.
This same text is shown on many other administrative pages. Is this the cause of the portal missing? When I configure these features again, will it not erase our current team projects, history, build definitions and work items?
Are there any better ways to troubleshoot why the portal is missing?
Thanks in advance for any guidance.
Yes, you are right. After the upgrade, the configuration is needed to make sure the normal operation of TFS server. It will not erase your current team projects, history, build definitions and work items. There are just some settings will not effect your Database. Certainly, it's also important to keep good backup habits. After all, we didn't have a foolproof thing in the world.
After you upgrade TFS to 2015, each team project may need to be
configured to use some of the new features in TFS 2015. You don't have
to do this immediately, but those features aren't available in that
team project until they're configured. Depending on the team project,
you'll use some combination of the Configure Features wizard that
appears on the Work page and some manual configuration.
Source Link: Upgrade your deployment to the latest version of TFS
For your situation, there maybe some other error cause it. However, still suggest you to finish the configuration first. If it's still not work, then you can try below ways to narrow down the issue:
Check the Event View in the server to see whether there are some
related info
Check the configuration logs (Team Foundation Server Administration
Console-Logs or browser the folder in the server
C:\ProgramData\Microsoft\Team Foundation\Server Configuration\Logs)
I have set up security in TFS 2012 Team Projects. There is one user who can see parts of a Team Project (certain branches) that he otherwise should not see. I have checked the branch security as well and can't find anywhere why that user should have access to it. It also shows a weird plus sign in front of that Team Project for that user only where he can only see some branches and not the full team project.
figured it out. apparently user had checked out some files before we restricted the permissions and therefore once the user checked in their changes, they could not see these projects anymore.