I'm having troubles trying to add Azure Resource Manager Service Endpoint in TFS 2017. When i enter the required data and click on "Verify Connection" I can see the verified
when I click OK button , I get the following error
Does anyone have any idea how to fix it?
First double check if you have followed below tutorials to create this service Endpoint:
How to Setup an Azure Resource Manager Endpoint
Creating an Azure Resource Manager Service Endpoint
Such as make sure you have gave the service principal access to create resources in your subscription.
Click Browse and select Subscriptions
Select the subscription you are using
Click the Access button
Click Add
Select Contributor as the roll
Search and select the name of the application you just created
Click OK to grant the service principal access to your subscription
For more troubleshooting, please take a look at this link-- How to: Troubleshoot Azure Resource Manager service endpoints
Update from OP
Issue fixed by Upgrade to TFS2017 update1.
Related
I am running Azure DevOps Server 2019 cu7. When I click on the Access Levels link at the Project Collection level, I get a page not found error for ../_admin/_licenses. I then upgraded my development farm to ADO Server 2020, and still have the same issue.
The app pool accounts are both System and I have added the System account to the iis_iusrs group.
Also, i get a page not found error when trying to hit the/_api/licenses/export api to try to get around the page not found error when using a browser.
It seems that you do not have the permission Edit Instance-level information
Steps:
Open Azure DevOps Server Administration Console->click the option Application Tier->click the button Administer Security->select [Team Foundation]\Team Foundation Valid Users and ensure the permission Edit instance-level information is set the allow. Then we could check the Access Levels page.
Result:
The permission is set to Deny
The permission is set to Allow
We recently ungraded and moved TFS from 2013 update 4 to TFS 2015 Update 1. When trying to create a new Team Project we keep getting the error below. Any help would be greatly appreciated.
Error
TF30170: The plugin Microsoft.ProjectCreationWizard.Reporting failed
during task Populate Reports from group Reporting.
Explanation
Plugin error text: “TF249061: You cannot access the
following report item: /Tfs2010OlapReportDS. Access was denied because
your account does not have one or more permissions required to access
this item.”
User Action
Contact your Team Foundation Server administrator.
The issue turned out to be that the current service account had access to all the data sets except for Tfs2010OlapReportDS. To grant access to that I had to log into the report manager and grant access to service account using the old service account that was used on the previous installation of TFS.
I'm trying to setup a TFS Build service but the config wizard keeps bombing out on Edit collection-level information permissions, which I have set as required.
There isn't much background information for this, its a new 2003 virtual sever with nothing but TFS build service installed. The only other Warning I get is about no firewall being installed so I cant see that interfering. The section of interest in the log is below.
Verify: Verify that the running account has the required Team Foundation Server permissions(TBRUNNINACOUNT): Starting Verification
TF279000: User domain\user.name does not have permission to add members to the Build Services group. To perform this action, the user must have the 'Edit collection-level information' permission set to Allow.
!Verify Error!: TF279000: User domain\user.name does not have permission to add members to the Build Services group. To perform this action, the user must have the 'Edit collection-level information' permission set to Allow.
"Verify: Verify that the running account has the required Team Foundation Server permissions(TBRUNNINACOUNT): Exiting Verification with state Completed and result Error"
!Verify Result!: 1 Completed, 0 Skipped: 0 Success, 1 Errors, 0 Warnings
Any help is greatly appreciated, I have no idea where to go from here.
Thanks, Tom.
I'm not sure why your Build should edit something on Collection level, but what should solve the problem is to add the permission to the "Project Collection Build Service Accounts". I expect that TBRUNNINACOUNT is member of this group, otherwise the build might fail.
To set the persmission do the following steps:
Open Team Explorer
connect to the TeamProjectCollection the build service should be used for
Right click on the root to get the context menu
choose "Team Project Collection Settings -> Security"
select the "Project Collection Build Service Accounts"
set 'Edit collection-level information' permission
Close dialogs by using ok
Now the account has the needed permission and the wizard should run through that point.
I had the same issue as basically I was picking up from where Tom left off.
On the TFS Server used for the source control I added my AD user account to the Project Collection Build Administrators group and it worked.
Experienced a very strange problem today on our TFS2010 build server. Suddenly the build service failed for no apparent reason. We´re been trouble shooting it all day, but still haven´t found the reason yet.
One of the problems is that the build service is (or should!) running under an AD user called tfs2010build. However when I try to start the service, i get the following error
Service cannot be started. Microsoft.TeamFoundation.TeamFoundationServerUnauthorizedException: TF30063: You are not authorized to access http://tfs2010:8080/tfs/default. ---> System.Net.WebException: The remote server returned an error: (401) Unauthorized.
When I look in the event log on the TFS2010 server, I see that the failed authentication is registered for a user called TFS2010Install, which was used to install everything. I´ve tripple checked and the service is specified as to be running under TFS2010Build.
Log from TFS2010 server:
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: TFS2010INSTALL
Account Domain: LC
So my question is how is this possible. COuld the user TFS2010Build some how be impersonated by TFS2010Install? I
ve tried to install an additional build server and here there´s no problem starting the service under the user TFS2010Build - hence it is not a problem with AD or TFS user rights.
Hope you guys can help out!
/Jasper
!! Updated with some screen shots. Build server is TFS2010BIULD and the TFS server is TFS2010
Link to full size
Screen shot of non working build server TFS2010Build
Screen shot of working build server TFS2010Build1
!!New Update
I've managed to get the Build service to run under the TFS2010Build user account (which was actually the initial state, when the problem started). When I queue builds to this controller and agent, i get the follwing in the build log:
TF215097: An error occurred while initializing a build for build definition \PlanteIT_MarkOnline_Scrum\CI_Main_FieldOnlineClient: TF215106: Access denied. LC\TFS2010INSTALL needs Update build information permissions for build definition CI_Main_FieldOnlineClient in team project PlanteIT_MarkOnline_Scrum to perform the action. For more information, contact the Team Foundation Server administrator.
It still insist that TFS2010Install user account is running the service, despite that TFS2010Build is used for the build service. Any ideas?
This is a stab in the dark, can you try clear the TFS client cache and your internet cache on your troubled build machine under the Tfs2010Build account? I've never seen this issue before but maybe some stale cached TfsProjectCollection object with TFS2010Install authentication stayed around and caused problems.
Have you also tried reconfigure your build machine?
To unconfigure:
tfsconfig.exe setup /uninstall:TeamBuild
and reconfigure through the wizard.
I will try once more ..., step by step :-)
FACT: When you register your build controller to a TFS project collection, being logged-in as TFS2010Build, an authentication dialog pops-up. This means that the TFS server does not accept TFS2010Build as an account that can be used to connect to your default collection on the TFS server.
FACT: When you register your build controller to a TFS project collection, being logged-in as TFS2010Install, no authentication dialog pops-up. This means that the TFS server does accept TFS2010Install as an account that can be used to connect to your default collection on the TFS server.
Apparently, because in both 1 and 2 your build controller is registered using the TFS2010Install account to the TFS server, either the controller or the server remembers these credentials and uses them to connect to the TFS server collection when the build controller is started, despite the fact that the service itself is running under the TFS2010Build account. This is a plausible situation and impersonation happens often this way for services. Maybe some TFS techie can either confirm or deny this behavior.
The question that remains for me: Why does the the default collection on the TFS server not accept the TFS2010Build account as a valid administrator?
Potential causes:
Read Jim Lamb's answer.
Something is wrong with the domain registration of the system or user used to connect the controller to the collection on the TFS server.
Fastest way to rid of the problem: Continue to install the secondary server that does not seem to have the problem, potentially experiment with using the TFS2010Build from this secondary server to see if the problem also occurs there.
A long aswer, but hopefully it gives you a big push in the right direction.
Sorry to hear that you're having problems getting this to work. Here are a couple of things you can check/try:
Make sure that the TFS2010Build user account is a member of the "Build Services" group in the TFS project collection you've associated it with.
If you install and configure the build service while logged in as a user who is a member of the Project Collection Administrators group on the associated project collection and is also a member of the local Administrators group on the build machine, all of the requisite permissions and other configuration will generally be set for you.
So, to summarize, the user configuring the build machine should be a member of the project collection administrators group and a member of the local administrators group. And, the user account the build machine is running as should be a member of the project collection's "build services" group.
I'm using a Ruby gem called Savon to interact with SharePoint 2010's UserProfileService Web Service. I'm getting an error: Attempted to perform an unauthorized operation. I used
client.wsse.credentials "username", "password"
to pass my credentials. Anyone know what permissions are needed to use the UserProfileService web service?
In SP 2007, the username/password you use will need to have the "Manage User Profiles" permission set in the Shared Service Provider (SSP). IN SP 2010, I am not sure what the equivalent is since there is no longer an SSP, but an User Profile Service. I am sure there is something similar.
In Manage service applications in Central Admin, click on the User Profile Service then click Permisions in the ribbon add the user with Full Control permissions