I am configuring New bulid server I am having TFS 2013. I am an admin on the build server and the account which is used for configuring build server is also a admin on build server.
I am able to access my TFS and able to Checkin code as well from build server.
I don't know what access rights I have to give to my user or to the account used for configuring build server.
Exception Message: Requested registry access is not allowed. (type SecurityException)
Exception Stack Trace:
Server stack trace:
at Microsoft.Win32.RegistryKey.OpenSubKey(String name, Boolean writable)
at Microsoft.TeamFoundation.Common.Internal.TeamFoundationEnvironment.OpenOrCreateRootUserRegistryKey()
at Microsoft.TeamFoundation.VersionControl.Client.Workstation.get_AttemptToAutoResolveConflicts()
at Microsoft.TeamFoundation.VersionControl.Client.Client.Get(Workspace workspace, GetRequest[] requests, GetOptions options, GetFilterCallback filterCallback, Object userData, String[] itemAttributeFilters, String[] itemPropertyFilters, Boolean alwaysQueryConflicts, Conflict[]& conflicts, Int32 operationId)
at Microsoft.TeamFoundation.VersionControl.Client.Workspace.Get(GetRequest[] requests, GetOptions options, GetFilterCallback filterCallback, Object userData, String[] itemAttributeFilters, String[] itemPropertyFilters, Boolean alwaysQueryConflicts, Conflict[]& conflicts)
at Microsoft.TeamFoundation.VersionControl.Client.Workspace.Get(GetRequest[] requests, GetOptions options, GetFilterCallback filterCallback, Object userData)
at Microsoft.TeamFoundation.Build.Workflow.Activities.TfGet.TfGetCore.RunCommand(VersionControlScope versionControlScope, Workspace workspace, String getting, String nonFatalError, String version, String fileSpec, GetOptions options, RecursionType recursion)
at System.Runtime.Remoting.Messaging.StackBuilderSink._PrivateProcessMessage(IntPtr md, Object[] args, Object server, Object[]& outArgs)
at System.Runtime.Remoting.Messaging.StackBuilderSink.AsyncProcessMessage(IMessage msg, IMessageSink replySink)
Exception rethrown at [0]:
at System.Runtime.Remoting.Proxies.RealProxy.EndInvokeHelper(Message reqMsg, Boolean bProxyCase)
at System.Runtime.Remoting.Proxies.RemotingProxy.Invoke(Object NotUsed, MessageData& msgData)
at System.Func`9.EndInvoke(IAsyncResult result)
at Microsoft.TeamFoundation.Build.Workflow.Activities.TfGet.TfGetCore.EndExecute(AsyncCodeActivityContext context, IAsyncResult result)
at System.Activities.AsyncCodeActivity`1.System.Activities.IAsyncCodeActivity.FinishExecution(AsyncCodeActivityContext context, IAsyncResult result)
at System.Activities.AsyncCodeActivity.CompleteAsyncCodeActivityData.CompleteAsyncCodeActivityWorkItem.Execute(ActivityExecutor executor, BookmarkManager bookmarkManager)
The service account configured for the build service needs the rights. The TFS service and the build service may or may not be configured to run under the same account. Your personal account is not part of this equation.
MSDN outlines the permissions required for each service account here https://msdn.microsoft.com/en-us/library/ms253149(v=vs.120).aspx Look at the entry for TFSBuild
The setup is also outlined in https://msdn.microsoft.com/en-gb/library/ms181712(v=vs.120).aspx and explains how to pick what type of account you should choose when setting up your build server
Related
I have been working on Release Management client for last few months. I tried to configure "agentless" deployment using chef.
I configured all the attributes that were mentioned in the below documentation.
Reference can be found here and here.
After creating the release template, I tried to deploy it on the chef host, but it throws an exception as
System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.ComponentModel.Win32Exception: Access is denied
at System.Diagnostics.Process.StartWithCreateProcess(ProcessStartInfo startInfo)
at Microsoft.TeamFoundation.Release.CommonConfiguration.Helpers.ProcessHelper.ExecuteProcess(ProcessStartInfo startInfo, String argumentsWithStarsForPassword, Int32 timeoutInMilliseconds, Boolean waitForExit)
at Microsoft.TeamFoundation.Release.CommonConfiguration.Helpers.ProcessHelper.RunProcess(String fileName, String arguments, String workingDirectory, Boolean waitForExit)
at Microsoft.TeamFoundation.Release.MonitorServices.Chef.OnPrem.KnifeInvoker.Invoke(String arguments, String existingLogs)
at Microsoft.TeamFoundation.Release.MonitorServices.Chef.OnPrem.ChefCommands.SetAttribute(ChefDeploymentInfo deploymentInfo)
at Microsoft.TeamFoundation.Release.MonitorServices.Chef.OnPrem.ChefOnPremDeploymentActions.InvokePipeline(ChefDeploymentInfo deploymentInfo)
at Microsoft.TeamFoundation.Release.MonitorServices.Chef.OnPrem.ChefOnPremDeploymentActions.TriggerDeployment(DscComponent dscComponentParameters, String nodeName, String isUnixNode, String userName, String password, String componentName, String attributeName, String knifeInstallationPath, String chefRepoPath)
--- End of inner exception stack trace ---
at System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, Boolean constructor)
at System.Reflection.RuntimeMethodInfo.UnsafeInvokeInternal(Object obj, Object[] parameters, Object[] arguments)
at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
at Microsoft.TeamFoundation.Release.DeploymentAgent.Services.Deployer.Dsc.DscComponentInstaller.InvokeMethodByReflection(String methodArguments)
Can anyone please help me to find out what I missed and what needs to be configured?
I used Unix based credentials, I checked one step forward under Server Manager -> All Servers -> Events page. The error is mentioned below
Timestamp: 8/5/2016 1:36:46 PM
Message: Access is denied: \r\n\r\n at System.Diagnostics.Process.StartWithCreateProcess(ProcessStartInfo startInfo)
at Microsoft.TeamFoundation.Release.CommonConfiguration.Helpers.ProcessHelper.ExecuteProcess(ProcessStartInfo startInfo, String argumentsWithStarsForPassword, Int32 timeoutInMilliseconds, Boolean waitForExit)
at Microsoft.TeamFoundation.Release.CommonConfiguration.Helpers.ProcessHelper.RunProcess(String fileName, String arguments, String workingDirectory, Boolean waitForExit)
at Microsoft.TeamFoundation.Release.MonitorServices.Chef.OnPrem.KnifeInvoker.Invoke(String arguments, String existingLogs)
at Microsoft.TeamFoundation.Release.MonitorServices.Chef.OnPrem.ChefCommands.SetAttribute(ChefDeploymentInfo deploymentInfo)
at Microsoft.TeamFoundation.Release.MonitorServices.Chef.OnPrem.ChefOnPremDeploymentActions.InvokePipeline(ChefDeploymentInfo deploymentInfo)
at Microsoft.TeamFoundation.Release.MonitorServices.Chef.OnPrem.ChefOnPremDeploymentActions.TriggerDeployment(DscComponent dscComponentParameters, String nodeName, String isUnixNode, String userName, String password, String componentName, String attributeName, String knifeInstallationPath, String chefRepoPath)
Category: General
Priority: -1
EventId: 0
Severity: Error
Title:
Machine: AMAZONA-U157LUU
Application Domain: ReleaseManagementMonitor.exe
Process Id: 1516
Process Name: C:\Program Files (x86)\Microsoft Visual Studio 14.0\Release Management\bin\ReleaseManagementMonitor.exe
Win32 Thread Id: 4956
Thread Name:
Extended Properties:
The error message indicates a "Access is denied" issue. You need to check whether you have filled the correct Configuration variables especially Username/Password in the action “Deploy Using Chef”.
Username/Password: Credentials to connect to the node. This should be
a user (sudo privileges) with ssh permission for UNIX based systems
and an user with winrm permission(or local admin) for WINDOWS based
systems
NodeName: Name of the Chef Node where you want to deploy the application. The parameter passed should match the name of the Server linked in RM Standard environment.
Note : Make sure your node name match with the same in node input field.
IsUnixNode: Specify type of the machine. In case of UNIX based machines this parameter is set to true.
Username/Password: Credentials to connect to the node. This should be a user (sudo privileges) with ssh permission for UNIX based systems and an user with winrm permission(or local admin) for WINDOWS based systems
Component Name: Name of the component to be deployed.
Note: Select your appropriate component in your project.
Attribute Name: Name of the Chef node attribute which is used by cookbook(s) to get application package as explained earlier. Nested attributes are supported. The format of this name is: [‘AttributeLevel1’][‘AttributeLevel2’]…
Note: Verify you chef attribute name and attribute input field name. ex: ['test']
KnifeInstallationPath: Absolute path to knife.bat file on Release Management Server
Note:upto your knife.rb file location. ex:C:\opscode\chefdk\bin\knife.bat
ChefRepoPath: Chef repo directory path on RM server.
Note: upto knife.rb located folder. Ex :C:\Users\Administrator.TFS\.chef
I am developing an asp.net mvc application to extract some data from a TFS server.
Right now I am having problems with authentication on the TFS server. When I run the app from my local machine everything works fine, since it propagates my windows identity to the server, but when I deploy the app to my IIS8 server, since there's no user logged on, it won't work.
I would like to avoid using windows authentication on the IIS8 server, since I do not want to maintain the user control with windows groups. Instead I would like only to authenticate the user on my AD, store the identity info and propagate it to the TFS server, but I am clueless on how to do that.
Can you guys help me out? Right now my asp.net mvc app has no authentication and I get the following message:
[UnauthorizedAccessException: Access to the registry key 'HKEY_CURRENT_USER\Software\Microsoft\VSCommon\12.0\ClientServices\TokenStorage\VisualStudio' is denied.]
Microsoft.Win32.RegistryKey.Win32Error(Int32 errorCode, String str) +4325774
Microsoft.Win32.RegistryKey.CreateSubKeyInternal(String subkey, RegistryKeyPermissionCheck permissionCheck, Object registrySecurityObj, RegistryOptions registryOptions) +10872754
Microsoft.Win32.RegistryKey.CreateSubKey(String subkey, RegistryKeyPermissionCheck permissionCheck, RegistryOptions options) +14
Microsoft.VisualStudio.Services.Common.TokenStorage.RegistryTokenStorageHelper.GetRootKey(String subkeyName) +50
Microsoft.VisualStudio.Services.Common.TokenStorage.RegistryTokenStorage.RetrieveToken(VssTokenKey tokenKey) +57
Microsoft.VisualStudio.Services.Common.TokenStorage.VssTokenStorage.Retrieve(VssTokenKey tokenKey) +15
Microsoft.TeamFoundation.Client.TfsClientCredentialStorage.RetrieveToken(Uri serverUrl, VssCredentialsType credentialType) +58
Microsoft.TeamFoundation.Client.CookieCredential.OnCreateTokenProvider(Uri serverUrl, HttpWebResponse response) +127
Microsoft.TeamFoundation.Client.IssuedTokenCredential.CreateTokenProvider(Uri serverUrl, HttpWebResponse response, IssuedToken failedToken) +45
Microsoft.TeamFoundation.Client.TfsClientCredentials.TryGetTokenProvider(Uri serverUrl, IssuedTokenProvider& provider) +95
Microsoft.TeamFoundation.Client.Channels.TfsHttpRequestHelpers.PrepareWebRequest(HttpWebRequest webRequest, Guid sessionId, String operationName, CultureInfo cultureInfo, TfsRequestSettings settings, TfsClientCredentials credentials, IdentityDescriptor impersonate, IssuedToken& currentToken, IssuedTokenProvider& tokenProvider) +136
Microsoft.TeamFoundation.Client.Channels.TfsHttpRequestHelpers.CreateSoapRequest(Uri requestUri, Guid sessionId, String soapAction, String operationName, CultureInfo cultureInfo, TfsRequestSettings settings, TfsClientCredentials credentials, IdentityDescriptor impersonate, IssuedToken& currentToken, IssuedTokenProvider& tokenProvider) +106
Microsoft.TeamFoundation.Client.Channels.TfsHttpWebRequest.CreateWebRequest() +154
Microsoft.TeamFoundation.Client.Channels.TfsHttpWebRequest.SendRequest() +599
Microsoft.TeamFoundation.Client.Channels.TfsHttpRequestChannel.Request(TfsMessage message, TimeSpan timeout) +243
Microsoft.TeamFoundation.Client.Channels.TfsHttpClientBase.Invoke(TfsClientOperation operation, Object[] parameters, TimeSpan timeout, Object[]& outputs) +91
Microsoft.TeamFoundation.Framework.Client.LocationWebService.Connect(Int32 connectOptions, Int32 lastChangeId, Int32 features) +175
Microsoft.TeamFoundation.Framework.Client.FrameworkServerDataProvider.Connect(ConnectOptions connectOptions) +92
Microsoft.TeamFoundation.Client.TfsConnection.EnsureProviderConnected() +723
Microsoft.TeamFoundation.Client.TfsConnection.EnsureAuthenticated() +25
Your first issue is that your need to make the account that the website is running under an administrator on your web server. Current permissions are not going to cut the mustered.
Additionally you are going to hit a double hop authentication issue with Kerberos ( security is a pain) and you need to configure an SPN for the account to show it to proxy Kerberos authentication tokens to the TFS server. User SetSPN to configure it, and you will likely need the help of a domain admin.
I am having trouble solving an access denied problem. I've gone through so many posts trying to find a solution and just can't seem to figure out what is going on. I am new to setting up a build server, but I dug through as many sites and instructions as I could to try to understand how to do it. We are using TFS 2013 Express. I installed the Build server components, setting up a Build Controller and a Build agent. Originally I used the default Network Service account but when I ran into some issues, I decided to set up a domain user account for the build service. I removed the controller and then recreated a new controller and agent using the domain user account.
When I try to build a project--my first build definition--I get the following error:
Exception Message: TF270016: An error occurred publishing log files
from 'C:\Builds\5\XYZ\Client\src\DEV\XYZ.log' to
'\myserver\Builds\Client\Client_20141212.4\logs'. Details: Access
to the path '\myserver\Builds\Client\Client_20141212.4\logs' is
denied. (type PublishLogFileException) Exception Stack Trace: at
System.Activities.Statements.Throw.Execute(CodeActivityContext
context) at
System.Activities.CodeActivity.InternalExecute(ActivityInstance
instance, ActivityExecutor executor, BookmarkManager bookmarkManager)
at
System.Activities.Runtime.ActivityExecutor.ExecuteActivityWorkItem.ExecuteBody(ActivityExecutor
executor, BookmarkManager bookmarkManager, Location resultLocation)
Inner Exception Details:
Exception Message: Access to the path
'\myserver\Builds\Client\Client_20141212.4\logs' is denied. (type
UnauthorizedAccessException) Exception Stack Trace: at
System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
at System.IO.Directory.InternalCreateDirectory(String fullPath, String
path, Object dirSecurityObj, Boolean checkHost) at
System.IO.Directory.InternalCreateDirectoryHelper(String path, Boolean
checkHost) at
Microsoft.TeamFoundation.Common.FileSpec.CopyFile(String oldPath,
String newPath, Boolean overwriteExisting) at
Microsoft.TeamFoundation.Build.Workflow.Activities.WindowsDropProvider.CopyDirectory(String
sourceDirectory, String targetDirectory) at
Microsoft.TeamFoundation.Build.Workflow.Activities.WindowsDropProvider.CopyDirectory(String
sourceDirectory, String targetDirectory, String[] renameIfExists)
at
Microsoft.TeamFoundation.Build.Workflow.Activities.PublishLogFile.Execute(CodeActivityContext
context)
I know that it appears evident that it's a permissions issue. However, I have verified that the user account I have set up my build service to use has permissions to the \myserver\Builds share. I can log in as that user, connect to the share, and create, edit and delete files. So I'm just not sure what I'm missing here or why I'm still getting the access denied error.
I'd love some feedback other than the typical 'you just need to give permissions to your drop folder to your build service account'.
I just went through this with a customer. The solution in my case was that the build drop location can't be a friendly DNS name.
For example, our server's name was GXDPLTFSBLD1P. We set up a DNS alias for the server to "tfsbuild".
When the build drop location in the build definition was set to \\tfsbuild\drops, we got that error.
When we changed it to \\GXDPLTFSBLD1P\drops, it went away.
I am currently using TFS 2013 (local installation) to try to build from an internal GitHub Enterprise installation using LDAP Authentication.
The problem I am getting is that it cannot access the source code, how can I configure TFS Build to use a specific authentication?
From the TFS Build Log
Exception Message: An error was raised by libgit2. Category = Net (Error).
VS30063: You are not authorized to access https://user:password#githubrepository.corp.company.net. (type LibGit2SharpException)
Exception Data Dictionary:
libgit2.code = -1
libgit2.category = 11
Exception Stack Trace:
Server stack trace:
at LibGit2Sharp.Core.Ensure.HandleError(Int32 result)
at LibGit2Sharp.Core.Proxy.git_clone(String url, String workdir, GitCloneOptions opts)
at LibGit2Sharp.Repository.Clone(String sourceUrl, String workdirPath, Boolean bare, Boolean checkout, TransferProgressHandler onTransferProgress, CheckoutProgressHandler onCheckoutProgress, Credentials credentials)
at Microsoft.TeamFoundation.Build.Activities.Git.GitPull.GitClone.GetRepository(String repositoryUrl, String workingFolder)
at System.Runtime.Remoting.Messaging.StackBuilderSink._PrivateProcessMessage(IntPtr md, Object[] args, Object server, Object[]& outArgs)
at System.Runtime.Remoting.Messaging.StackBuilderSink.AsyncProcessMessage(IMessage msg, IMessageSink replySink)
Exception rethrown at [0]:
at System.Runtime.Remoting.Proxies.RealProxy.EndInvokeHelper(Message reqMsg, Boolean bProxyCase)
at System.Runtime.Remoting.Proxies.RemotingProxy.Invoke(Object NotUsed, MessageData& msgData)
at System.Func3.EndInvoke(IAsyncResult result)
at Microsoft.TeamFoundation.Build.Activities.Git.GitPull.GitRepositoryBase.EndExecute(AsyncCodeActivityContext context, IAsyncResult result)
at System.Activities.AsyncCodeActivity1.System.Activities.IAsyncCodeActivity.FinishExecution(AsyncCodeActivityContext context, IAsyncResult result)
at System.Activities.AsyncCodeActivity.CompleteAsyncCodeActivityData.CompleteAsyncCodeActivityWorkItem.Execute(ActivityExecutor executor, BookmarkManager bookmarkManager)
Follow up
I have tried the URL params for authentication (example)
https://username:password#domain.com/user/project.git
More Follow up
Completely uninstalled and update to the 2013 RC, error message has been updated as well, as it is different.
I have also tried setting up the build controller to run as an authenticated LDAP user in the github enterprise installation.
Libgit2 does support the url credentials, however TFS build activities for GitPull overrides the default behavior with a Microsoft.TeamFoundation.Build.Activities.Git.TfsSmartSubtransport class for the http and https protocol.
This class unfortunately ignores credentials in the URL and instead tries to retrieve credentials from the registry.
I was able to successfully get a TFS build server to pull source code from a gitlab server using TFS build with the default GitTemplate.12.xaml workflow.
Setup the TFS build's repository URL without any credentials in the URL.
Encrypted your credential's password with the following bit of code. This needs to get run on the build server as the encryption process is specific to the local machine it's executed on.
var password = "your_password";
var bytes = Encoding.Unicode.GetBytes(password);
var bytes2 = ProtectedData.Protect(bytes, null, DataProtectionScope.LocalMachine);
var base64 = Convert.ToBase64String(bytes2);
Add the following registry settings to your build server.
NOTE: The URL in the registry must exactly match the absolute URL of your repository or TFS won't find the credentials.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\TeamFoundationServer\12.0\HostedServiceAccounts\Build\http://githubrepository.corp.company.net]
"Microsoft_TFS_UserName"="<username goes here>"
"Microsoft_TFS_Password"="<bas64 encrypted password goes here>"
"Microsoft_TFS_CredentialsType"="Windows"
The only other alternatives to this approach that I could think of is to modify the default workflow and replace the GitPull activity with something else.
I'm not suggesting that this is the best method, but it worked for me.
That's odd. It looks like the HTTP transport should honor url-encoded credentials.
In any case, it might be better and safer to set up the remote to get the credentials from elsewhere. The clone code is a good example of how to do this: here's how to set up the callback, and here's an example of how to generate the credential object.
Upgrading our TFS 2010 to TFS 2012, I get this error on one of the collections:
[Error] Sync error for identity: System.Security.Principal.WindowsIdentity, S-1-5-21-xxxxxxx - No mapping between account names and security IDs was done
The upgrade fails. Re-running the servicing job from the admin console causes the same error.
I looked in the database, and there is an entry in ADObjects where both SamAccountName and ObjectSID have that SID. It looks like an account from an old domain. fDeleted is 1.
How do I clean this up so I can upgrade?
Added information (from the SQL trace):
declare #p3 dbo.typ_ServicingStepDetail2
insert into #p3 values(1,'ToDev11Beta1FinalConfiguration','BuildToDev11Beta1FinalConfiguration','Grant Administer Build Permissions to Project Administrators','2013-04-12 14:17:55.617',NULL,0,N'Microsoft.TeamFoundation.Framework.Server.IdentitySyncException: Sync error for identity: System.Security.Principal.WindowsIdentity, S-1-5-21-xxxxx - No mapping between account names and security IDs was done
at Microsoft.TeamFoundation.Framework.Server.TeamFoundationIdentityService.TryReadIdentityFromSourceInternal(TeamFoundationRequestContext requestContext, IdentityDescriptor descriptor, Boolean withDirectMembership, TeamFoundationIdentity& identity)
at Microsoft.TeamFoundation.Framework.Server.TeamFoundationIdentityService.AddMemberToApplicationGroup(TeamFoundationRequestContext requestContext, IdentityDescriptor groupDescriptor, IdentityDescriptor memberDescriptor, Boolean errorOnDuplicate, Boolean logSync, Boolean ensureKnown)
at Microsoft.TeamFoundation.Framework.Server.TeamFoundationIdentityService.EnsureIsMember(TeamFoundationRequestContext requestContext, IdentityDescriptor groupDescriptor, IdentityDescriptor descriptor)
at Microsoft.TeamFoundation.Framework.Server.TeamFoundationSecurityNamespace.EnsureIdentityIsKnownInternal(TeamFoundationRequestContext requestContext, IdentityDescriptor identity, Boolean throwOnFailure)
at Microsoft.TeamFoundation.Framework.Server.TeamFoundationSecurityNamespace.SetAccessControlEntries(TeamFoundationRequestContext requestContext, String token, IEnumerable1 accessControlEntries, Boolean merge, Boolean throwOnInvalidIdentity)
at Microsoft.TeamFoundation.Framework.Server.TeamFoundationSecurityNamespace.SetAccessControlEntries(TeamFoundationRequestContext requestContext, String token, IEnumerable`1 accessControlEntries, Boolean merge)
at Microsoft.TeamFoundation.Server.Servicing.TFCollection.BuildStepPerformer.GrantAdministerPermissionsToProjectAdmins(TeamFoundationRequestContext requestContext, ServicingContext servicingContext)
at Microsoft.TeamFoundation.Framework.Server.TeamFoundationStepPerformerBase.Microsoft.TeamFoundation.Framework.Server.IStepPerformer.PerformStep(String servicingOperation, String stepType, String stepData, ServicingContext servicingContext)
at Microsoft.TeamFoundation.Framework.Server.ServicingStepDriver.PerformServicingStep(ServicingStep step, ServicingContext servicingContext, ServicingStepGroup group, ServicingOperation servicingOperation, Int32 stepNumber, Int32 totalSteps)')
insert into #p3 values(2,'ToDev11Beta1FinalConfiguration','BuildToDev11Beta1FinalConfiguration','Grant Administer Build Permissions to Project Administrators','2013-04-12 14:17:55.617',5,NULL,NULL)
exec prc_AddServicingStepDetails #jobId='xxx',#queueTime='2013-04-12 14:17:50.840',#stepDetails=#p3,#hostId='xxx',#completedStepCount=419`
So it looks like I might have a project administrator who doesn't exist anymore. Any thoughts on how to remove that membership manually?
Okay, I got the upgrade to complete by doing the following.
THIS IS EXTREMELY FILTHY AND DANGEROUS. DO NOT TRY WITHOUT A GOOD BACKUP. YOUR WARRANTY HAS ALREADY EXPIRED. THIS VERY WELL MIGHT NOT WORK FOR YOU. IT MIGHT BREAK YOUR ENTIRE TFS SETUP AND GIVE DISEASES TO YOUR PUPPY.
Anyway.
Open SQL Server Management Studio. Punch up a new query window for the project collection that won't upgrade (usually Tfs_NameOfCollectionThatWontUpgrade). Execute this command:
Select TeamFoundationId From ADObjects
Where ObjectSID='S-1-xxxx'
(Obviously, insert the proper SID from your error message.)
This will give you the internal GUID for the identity that is causing the problem. The step my upgrade failed on was giving Build Administrator rights to Project Administrators, and whoop-dee-doo, I can do that myself.
Now nuke the Active Directory link from orbit (you do have that GUID copied, right?)
Delete From ADObjects
Where ObjectSID='S-1-xxxxx'
(Obviously, insert the proper SID from your error message. Also note that this step might not be strictly necessary, but it is one I performed and I'll be damned if I roll back to see if you can do without it.)
Ah, gotta love chain-saw surgery. More to do. Let's remove this identity from all groups. NOTE: if you do this to your only administrator account, you're likely to shut yourself out of the collection and/or the projects within. You have been warned.
Switch to the configuration database (usually Tfs_Configuration) and execute
Delete From tbl_GroupMembership
Where MemberId='The GUID you remembered'
At this point, the user is no longer a member of anything and the upgrade should complete. Everything should be there: builds, work items and source.
I had a very similar issue (almost identical) when my TFS Server was using TFS 2012 Update 1. I also came up with this hack in order to resolve it. When I had a TFS Server running TFS 2012 RTM or TFS 2012 Update 2 I didn't encounter the issue.
Here a link to that thread.
http://social.msdn.microsoft.com/Forums/en-US/tfsadmin/thread/238cad96-8e74-4f14-869a-3bb5e0629fd7