Develop Reference

TFS build failing because of registry access is not allowed

I am configuring New bulid server I am having TFS 2013. I am an admin on the build server and the account which is used for configuring build server is also a admin on build server.
I am able to access my TFS and able to Checkin code as well from build server.
I don't know what access rights I have to give to my user or to the account used for configuring build server.
Exception Message: Requested registry access is not allowed. (type SecurityException)
Exception Stack Trace:
Server stack trace:
at Microsoft.Win32.RegistryKey.OpenSubKey(String name, Boolean writable)
at Microsoft.TeamFoundation.Common.Internal.TeamFoundationEnvironment.OpenOrCreateRootUserRegistryKey()
at Microsoft.TeamFoundation.VersionControl.Client.Workstation.get_AttemptToAutoResolveConflicts()
at Microsoft.TeamFoundation.VersionControl.Client.Client.Get(Workspace workspace, GetRequest[] requests, GetOptions options, GetFilterCallback filterCallback, Object userData, String[] itemAttributeFilters, String[] itemPropertyFilters, Boolean alwaysQueryConflicts, Conflict[]& conflicts, Int32 operationId)
at Microsoft.TeamFoundation.VersionControl.Client.Workspace.Get(GetRequest[] requests, GetOptions options, GetFilterCallback filterCallback, Object userData, String[] itemAttributeFilters, String[] itemPropertyFilters, Boolean alwaysQueryConflicts, Conflict[]& conflicts)
at Microsoft.TeamFoundation.VersionControl.Client.Workspace.Get(GetRequest[] requests, GetOptions options, GetFilterCallback filterCallback, Object userData)
at Microsoft.TeamFoundation.Build.Workflow.Activities.TfGet.TfGetCore.RunCommand(VersionControlScope versionControlScope, Workspace workspace, String getting, String nonFatalError, String version, String fileSpec, GetOptions options, RecursionType recursion)
at System.Runtime.Remoting.Messaging.StackBuilderSink._PrivateProcessMessage(IntPtr md, Object[] args, Object server, Object[]& outArgs)
at System.Runtime.Remoting.Messaging.StackBuilderSink.AsyncProcessMessage(IMessage msg, IMessageSink replySink)
Exception rethrown at [0]:
at System.Runtime.Remoting.Proxies.RealProxy.EndInvokeHelper(Message reqMsg, Boolean bProxyCase)
at System.Runtime.Remoting.Proxies.RemotingProxy.Invoke(Object NotUsed, MessageData& msgData)
at System.Func`9.EndInvoke(IAsyncResult result)
at Microsoft.TeamFoundation.Build.Workflow.Activities.TfGet.TfGetCore.EndExecute(AsyncCodeActivityContext context, IAsyncResult result)
at System.Activities.AsyncCodeActivity`1.System.Activities.IAsyncCodeActivity.FinishExecution(AsyncCodeActivityContext context, IAsyncResult result)
at System.Activities.AsyncCodeActivity.CompleteAsyncCodeActivityData.CompleteAsyncCodeActivityWorkItem.Execute(ActivityExecutor executor, BookmarkManager bookmarkManager)

The service account configured for the build service needs the rights. The TFS service and the build service may or may not be configured to run under the same account. Your personal account is not part of this equation.

MSDN outlines the permissions required for each service account here https://msdn.microsoft.com/en-us/library/ms253149(v=vs.120).aspx Look at the entry for TFSBuild
The setup is also outlined in https://msdn.microsoft.com/en-gb/library/ms181712(v=vs.120).aspx and explains how to pick what type of account you should choose when setting up your build server

How to use cached ticket with KerberosRestTemplate?

I want to implement integration test for my spring security kerberos authentication.
There is KerberosRestTemplate (reference) for this purpose. KerberosRestTemplate has got a default constructor with description "Leave keyTabLocation and userPrincipal empty if you want to use cached ticket".
For research i wrote a trivial class:
public static void main(String[] args) {
KerberosRestTemplate krt = new KerberosRestTemplate();
String result = krt.getForObject("http://testserver.testad.local:8080/", String.class);
System.out.println(result);
}
When i run it, exception has thrown:
Exception in thread "main" org.springframework.web.client.RestClientException: Error running rest call; nested exception is java.lang.IllegalArgumentException: Null name not allowed
at org.springframework.security.kerberos.client.KerberosRestTemplate.doExecute(KerberosRestT
emplate.java:196)
at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:530)
at org.springframework.web.client.RestTemplate.getForObject(RestTemplate.java:237)
at edu.mezlogo.Application.main(Application.java:9)
Caused by: java.lang.IllegalArgumentException: Null name not allowed
at sun.security.krb5.PrincipalName.<init>(Unknown Source)
at sun.security.krb5.PrincipalName.<init>(Unknown Source)
at javax.security.auth.kerberos.KerberosPrincipal.<init>(Unknown Source)
at javax.security.auth.kerberos.KerberosPrincipal.<init>(Unknown Source)
at org.springframework.security.kerberos.client.KerberosRestTemplate.doExecute(KerberosRestT
emplate.java:182)
... 3 more
My klist contain correct cached ticket, for my service.
#2> Client: deniz # TESTAD.LOCAL
Server: HTTP/testserver.testad.local # TESTAD.LOCAL
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x40a10000 -> forwardable renewable pre_authent name_canonicalize
Start Time: 2/5/2016 6:17:39 (local)
End Time: 2/5/2016 16:16:32 (local)
Renew Time: 2/12/2016 6:16:32 (local)
Session Key Type: RSADSI RC4-HMAC(NT)
And my browser (firefox) has successful authenticated with kerberos sso.
I use Windows server 2012. And Windows 7 as client.
How to use cached ticket? (And does ktpass can generate client keytab?)
P.s. sorry for my English.

You are checking the Windows credentials cache - while Java is maintaining it's separate. In order to view the Java's credentials cache you should execute the klist command from your JRE/bin folder

System.Net.HttpListenerException: Failed to listen on prefix 'http://localhost:8080

I am running the following code from Scott Allen's ASP.Net Fundamentals course
using System;
using Microsoft.Owin.Hosting;
using Owin;
namespace ConsoleApplication1
{
class Program
{
static void Main(string[] args)
{
string uri = "http://localhost:8080";
using (WebApp.Start<Startup>(uri))
{
Console.WriteLine("Started!");
Console.ReadKey();
Console.WriteLine("Stopping!");
}
}
}
public class Startup
{
public void Configuration(IAppBuilder app)
{
app.UseWelcomePage();
//app.Run(
// ctx => ctx.Response.WriteAsync("Hello Owin!"));
}
}
}
However when I run the console app I get a message
Unhandled Exception: System.Reflection.TargetInvocationException: Exception has
been thrown by the target of an invocation. ---> System.Net.HttpListenerExceptio
n: Failed to listen on prefix 'http://localhost:8080/' because it conflicts with
an existing registration on the machine.
at System.Net.HttpListener.AddAllPrefixes()
at System.Net.HttpListener.Start()
at Microsoft.Owin.Host.HttpListener.OwinHttpListener.Start(HttpListener liste
ner, Func`2 appFunc, IList`1 addresses, IDictionary`2 capabilities, Func`2 logge
rFactory)
at Microsoft.Owin.Host.HttpListener.OwinServerFactory.Create(Func`2 app, IDic
tionary`2 properties)
--- End of inner exception stack trace ---
at System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments,
Signature sig, Boolean constructor)
at System.Reflection.RuntimeMethodInfo.UnsafeInvokeInternal(Object obj, Objec
t[] parameters, Object[] arguments)
at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invoke
Attr, Binder binder, Object[] parameters, CultureInfo culture)
at Microsoft.Owin.Hosting.ServerFactory.ServerFactoryAdapter.Create(IAppBuild
er builder)
at Microsoft.Owin.Hosting.Engine.HostingEngine.StartServer(StartContext conte
xt)
at Microsoft.Owin.Hosting.Engine.HostingEngine.Start(StartContext context)
at Microsoft.Owin.Hosting.Starter.DirectHostingStarter.Start(StartOptions opt
ions)
at Microsoft.Owin.Hosting.Starter.HostingStarter.Start(StartOptions options)
at Microsoft.Owin.Hosting.WebApp.StartImplementation(IServiceProvider service
s, StartOptions options)
at Microsoft.Owin.Hosting.WebApp.Start(StartOptions options)
at Microsoft.Owin.Hosting.WebApp.Start[TStartup](StartOptions options)
at Microsoft.Owin.Hosting.WebApp.Start[TStartup](String url)
at ConsoleApplication1.Program.Main(String[] args) in e:\EShared\Dev2015\WebA
ppScottAllen\ConsoleApplication1\ConsoleApplication1\Program.cs:line 12
Press any key to continue . . .
I ran the Resource Monitor from the Task Manager Performance Tab and can see that there are 2 entries on Listening Ports for 8080.
Both have Image=System, PID=4, IPv6 unspecified, Protocol TCP, Firewall Status Not allowed, not restricted
I am new to Listening Ports, how do I get the code working?

When faced with error: "Failed to listen on prefix 'http://someURL:somePortNo/' because it conflicts with an existing registration on the machine." It is not really necessary that there is an application actively listening on that port - thus output of Netstat -abno may not always help. If the already registered application is running it can help you narrow down to which application is causing the issue by looking at the info Netstat provides.
However, you will get this error even after the application in question is stopped since the error indicates a registration. The correct diagnostic command therefore is:
netsh http show urlacl
We need to examine the output and check whether any of the listed reserved URLs is configured to listen on the specific port your application is trying to use. You need to note the value of the "Reserved URL" field for that specific application. You will need it later for deleting the registration which is causing the error.
Uninstalling that specific application - assuming their uninstall procedure does include an un-registration - may resolve the problem. Alternatively you could take a more direct and precise approach of using the command for deleting a URL reservation:
(Note that if the conflict is legitimate, it may be better to reconfigure your application to listen on a different port instead.)
netsh http delete urlacl url=<value of "Reserved URL" in the output of netsh http show urlacl>
When the command works you will see output: URL reservation successfully deleted.
Upon running netsh http show urlacl a second time you will now see that the url registration is indeed gone. And now running your application should not result in the error you were seeing earlier.

I was able to solve the problem by uninstalling several programs.
Unfortunately I did not test after each, so I don't know which one it was.
They included Dropbox, Goto Assist, Goto Meeting and a winforms application

I had the same issue, and it was a silly fix. I had other console apps open that was using the same port number, so after I have closed all the console apps, I was able to run and did not get this error.

I had the same error in Visual Studio which was kind enough to tell me which port was wrong. I then ran this command in an Administrator Command Prompt:
netsh http delete urlacl url=http://+:44308/
Note : It is important to remember to final slash. Otherwise you will get an error.

TF270016 Error publishing access denied even with correct permissions on drop folder TFS 2013

I am having trouble solving an access denied problem. I've gone through so many posts trying to find a solution and just can't seem to figure out what is going on. I am new to setting up a build server, but I dug through as many sites and instructions as I could to try to understand how to do it. We are using TFS 2013 Express. I installed the Build server components, setting up a Build Controller and a Build agent. Originally I used the default Network Service account but when I ran into some issues, I decided to set up a domain user account for the build service. I removed the controller and then recreated a new controller and agent using the domain user account.
When I try to build a project--my first build definition--I get the following error:
Exception Message: TF270016: An error occurred publishing log files
from 'C:\Builds\5\XYZ\Client\src\DEV\XYZ.log' to
'\myserver\Builds\Client\Client_20141212.4\logs'. Details: Access
to the path '\myserver\Builds\Client\Client_20141212.4\logs' is
denied. (type PublishLogFileException) Exception Stack Trace: at
System.Activities.Statements.Throw.Execute(CodeActivityContext
context) at
System.Activities.CodeActivity.InternalExecute(ActivityInstance
instance, ActivityExecutor executor, BookmarkManager bookmarkManager)
at
System.Activities.Runtime.ActivityExecutor.ExecuteActivityWorkItem.ExecuteBody(ActivityExecutor
executor, BookmarkManager bookmarkManager, Location resultLocation)
Inner Exception Details:
Exception Message: Access to the path
'\myserver\Builds\Client\Client_20141212.4\logs' is denied. (type
UnauthorizedAccessException) Exception Stack Trace: at
System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
at System.IO.Directory.InternalCreateDirectory(String fullPath, String
path, Object dirSecurityObj, Boolean checkHost) at
System.IO.Directory.InternalCreateDirectoryHelper(String path, Boolean
checkHost) at
Microsoft.TeamFoundation.Common.FileSpec.CopyFile(String oldPath,
String newPath, Boolean overwriteExisting) at
Microsoft.TeamFoundation.Build.Workflow.Activities.WindowsDropProvider.CopyDirectory(String
sourceDirectory, String targetDirectory) at
Microsoft.TeamFoundation.Build.Workflow.Activities.WindowsDropProvider.CopyDirectory(String
sourceDirectory, String targetDirectory, String[] renameIfExists)
at
Microsoft.TeamFoundation.Build.Workflow.Activities.PublishLogFile.Execute(CodeActivityContext
context)
I know that it appears evident that it's a permissions issue. However, I have verified that the user account I have set up my build service to use has permissions to the \myserver\Builds share. I can log in as that user, connect to the share, and create, edit and delete files. So I'm just not sure what I'm missing here or why I'm still getting the access denied error.
I'd love some feedback other than the typical 'you just need to give permissions to your drop folder to your build service account'.

I just went through this with a customer. The solution in my case was that the build drop location can't be a friendly DNS name.
For example, our server's name was GXDPLTFSBLD1P. We set up a DNS alias for the server to "tfsbuild".
When the build drop location in the build definition was set to \\tfsbuild\drops, we got that error.
When we changed it to \\GXDPLTFSBLD1P\drops, it went away.

How to configure libgit2 in TFS Build with private repositories?

I am currently using TFS 2013 (local installation) to try to build from an internal GitHub Enterprise installation using LDAP Authentication.
The problem I am getting is that it cannot access the source code, how can I configure TFS Build to use a specific authentication?
From the TFS Build Log
Exception Message: An error was raised by libgit2. Category = Net (Error).
VS30063: You are not authorized to access https://user:password#githubrepository.corp.company.net. (type LibGit2SharpException)
Exception Data Dictionary:
libgit2.code = -1
libgit2.category = 11
Exception Stack Trace:
Server stack trace:
at LibGit2Sharp.Core.Ensure.HandleError(Int32 result)
at LibGit2Sharp.Core.Proxy.git_clone(String url, String workdir, GitCloneOptions opts)
at LibGit2Sharp.Repository.Clone(String sourceUrl, String workdirPath, Boolean bare, Boolean checkout, TransferProgressHandler onTransferProgress, CheckoutProgressHandler onCheckoutProgress, Credentials credentials)
at Microsoft.TeamFoundation.Build.Activities.Git.GitPull.GitClone.GetRepository(String repositoryUrl, String workingFolder)
at System.Runtime.Remoting.Messaging.StackBuilderSink._PrivateProcessMessage(IntPtr md, Object[] args, Object server, Object[]& outArgs)
at System.Runtime.Remoting.Messaging.StackBuilderSink.AsyncProcessMessage(IMessage msg, IMessageSink replySink)
Exception rethrown at [0]:
at System.Runtime.Remoting.Proxies.RealProxy.EndInvokeHelper(Message reqMsg, Boolean bProxyCase)
at System.Runtime.Remoting.Proxies.RemotingProxy.Invoke(Object NotUsed, MessageData& msgData)
at System.Func3.EndInvoke(IAsyncResult result)
at Microsoft.TeamFoundation.Build.Activities.Git.GitPull.GitRepositoryBase.EndExecute(AsyncCodeActivityContext context, IAsyncResult result)
at System.Activities.AsyncCodeActivity1.System.Activities.IAsyncCodeActivity.FinishExecution(AsyncCodeActivityContext context, IAsyncResult result)
at System.Activities.AsyncCodeActivity.CompleteAsyncCodeActivityData.CompleteAsyncCodeActivityWorkItem.Execute(ActivityExecutor executor, BookmarkManager bookmarkManager)
Follow up
I have tried the URL params for authentication (example)
https://username:password#domain.com/user/project.git
More Follow up
Completely uninstalled and update to the 2013 RC, error message has been updated as well, as it is different.
I have also tried setting up the build controller to run as an authenticated LDAP user in the github enterprise installation.

Libgit2 does support the url credentials, however TFS build activities for GitPull overrides the default behavior with a Microsoft.TeamFoundation.Build.Activities.Git.TfsSmartSubtransport class for the http and https protocol.
This class unfortunately ignores credentials in the URL and instead tries to retrieve credentials from the registry.
I was able to successfully get a TFS build server to pull source code from a gitlab server using TFS build with the default GitTemplate.12.xaml workflow.
Setup the TFS build's repository URL without any credentials in the URL.
Encrypted your credential's password with the following bit of code. This needs to get run on the build server as the encryption process is specific to the local machine it's executed on.
var password = "your_password";
var bytes = Encoding.Unicode.GetBytes(password);
var bytes2 = ProtectedData.Protect(bytes, null, DataProtectionScope.LocalMachine);
var base64 = Convert.ToBase64String(bytes2);
Add the following registry settings to your build server.
NOTE: The URL in the registry must exactly match the absolute URL of your repository or TFS won't find the credentials.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\TeamFoundationServer\12.0\HostedServiceAccounts\Build\http://githubrepository.corp.company.net]
"Microsoft_TFS_UserName"="<username goes here>"
"Microsoft_TFS_Password"="<bas64 encrypted password goes here>"
"Microsoft_TFS_CredentialsType"="Windows"
The only other alternatives to this approach that I could think of is to modify the default workflow and replace the GitPull activity with something else.
I'm not suggesting that this is the best method, but it worked for me.

That's odd. It looks like the HTTP transport should honor url-encoded credentials.
In any case, it might be better and safer to set up the remote to get the credentials from elsewhere. The clone code is a good example of how to do this: here's how to set up the callback, and here's an example of how to generate the credential object.