Link or alias user account in Jenkins to TFS user account - jenkins

Jenkin shows two accounts for the same person, one from Active Directory and one from Team Foundation Server (TFS).
When I checkin code, a build is triggered (in this case Main - Build config) and the changes show user windows live id_steven#example.com with email address Windows Live ID\steven#example.com
When I click Build Now in Jenkins, it shows the changes came from user ssteven with email address Steven#Example.com
How can I link these two accounts since they are both the same person?

It should be possible with the Additional Identities Plugin to merge accounts by matching various properties, e.g. TFS account ID.
However, this may not work in all cases and is generally a long-outstanding issue in Jenkins:
https://issues.jenkins-ci.org/browse/JENKINS-10258

Related

TF246017: team foundation server could not connect to the database after change Domain Account password

I need your help if possible in order to resolve the issue mentioned in message subject. I have a TFS installation in two servers: one for application and another for database both on AD Domain. For security reasons I need to change the domain user account password used for this application (the user account is the AD Domain Administrator).
I changed the password from Windows AD users and computers console and after that when I tried to access to TFS (http://servername:port/tfs) I received the TF246017 error. I restored the old password for the account and TFS started to work again.
I saw that this domain user account figures in TFS Admin console, under application tier and there is an option to upgrade the password of service Account. My questions are if it is necessary to run password upgrade from there in addition to doing it from the administrator of AD users and groups option and if there is/are another option/s that I should take into account to modify the password for this user account.
Thank you in advance for your attention and your help.
Best Regards.
The error info and root cause is very clearly. You need to update the password of your corresponding account.
There are two ways to achieve the account password update:
To use the administration console to change the password
To use the TFSConfig utility to change the password:
To avoid TF246017 Error occur again, I would recommend you use the same user credential for SQL Server and TFS server. Ex: domainname/tfs is local admin to the server, sysadmin in SQL Server DB and also admin user to TFS server.
You could also check the Event log. The Windows Event Log is a good candidate where to look for the potential cause.
You need to use tfsconfig on the app tier server.
Something like tfsconfig accounts /updatepassword /account:[account name] /password:[password] should do the trick.
See also: https://learn.microsoft.com/en-us/vsts/tfs-server/admin/change-service-account-password?view=tfs-2015

Granting ManageBuildResources permission to a TFS user

so this is the issue:
I have a TFS 2012 installed on a server A and I want to install a TFS Build Service on server B. The TFS on server A has a DefaultCollection which I want to link it to a Team Build. When I try to configure the build server it shows a failure message: User1 needs "ManageBuildResources" permission set to allowed. User1 is NOT in any group, its a single lonely user, then I ask a coworker about the permissions. Now in the security settings of Team Explorer it shows that User1 has "ManageBuildResources" set to allowed on DefaultCollection. Still, when I try to configure it, it shows again the same failure message.
So I read in the Microsoft website that User1 must be in Project Collection Administrators group in order to configure a build server, do I need to make User1 a member of this group, even if User1 has all the privileges? Because I don't understand why it shows that User1 doesn't have privileges.
Thanks in advance!
Yes, you currently need to make a user part of Project Collection Administrators in order to be able to add a build server to your collection.

Which account should a TFS Build Agent service run under?

Background information
I need our TFS build agents to run under a specific account so that our ClickOnce certificates are authorised.
However if I run under the account X, which also is the user account of the build controller that has the correct certificates. I get the error: "Source is already in use". Even if I restart the service and/or the virtual machine.
Originally rightly/wrongly our build agents were running under the Network Service account, however this account cannot verify the certificates.
Using the Local System account does not give access to the build controller from a developer box.
So I guess my question is: What account should the service 'Visual Studio Team Foundation Build Service Host' run under?
It turned out that the account X was the correct choice (our build controller user account, that has few privileges).
It was that the account needed adding to the builders group TFS Admin.
My personal suggestion would be: a specifically-created, minimum-privelige account that is only authorised as far as is necessary to build the code on your build machines, and no more.
I'm not aware of any restriction around the user for the build agent vs the build controller, though - in fact I'm sure I've used a similar setup before. Is it possible that your error is misleading? Changing users might be a workaround, but perhaps there's something else fixable going on.

Windows Service user account trouble for TFSBuildServiceHost.exe

Experienced a very strange problem today on our TFS2010 build server. Suddenly the build service failed for no apparent reason. We´re been trouble shooting it all day, but still haven´t found the reason yet.
One of the problems is that the build service is (or should!) running under an AD user called tfs2010build. However when I try to start the service, i get the following error
Service cannot be started. Microsoft.TeamFoundation.TeamFoundationServerUnauthorizedException: TF30063: You are not authorized to access http://tfs2010:8080/tfs/default. ---> System.Net.WebException: The remote server returned an error: (401) Unauthorized.
When I look in the event log on the TFS2010 server, I see that the failed authentication is registered for a user called TFS2010Install, which was used to install everything. I´ve tripple checked and the service is specified as to be running under TFS2010Build.
Log from TFS2010 server:
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: TFS2010INSTALL
Account Domain: LC
So my question is how is this possible. COuld the user TFS2010Build some how be impersonated by TFS2010Install? I
ve tried to install an additional build server and here there´s no problem starting the service under the user TFS2010Build - hence it is not a problem with AD or TFS user rights.
Hope you guys can help out!
/Jasper
!! Updated with some screen shots. Build server is TFS2010BIULD and the TFS server is TFS2010
Link to full size
Screen shot of non working build server TFS2010Build
Screen shot of working build server TFS2010Build1
!!New Update
I've managed to get the Build service to run under the TFS2010Build user account (which was actually the initial state, when the problem started). When I queue builds to this controller and agent, i get the follwing in the build log:
TF215097: An error occurred while initializing a build for build definition \PlanteIT_MarkOnline_Scrum\CI_Main_FieldOnlineClient: TF215106: Access denied. LC\TFS2010INSTALL needs Update build information permissions for build definition CI_Main_FieldOnlineClient in team project PlanteIT_MarkOnline_Scrum to perform the action. For more information, contact the Team Foundation Server administrator.
It still insist that TFS2010Install user account is running the service, despite that TFS2010Build is used for the build service. Any ideas?
This is a stab in the dark, can you try clear the TFS client cache and your internet cache on your troubled build machine under the Tfs2010Build account? I've never seen this issue before but maybe some stale cached TfsProjectCollection object with TFS2010Install authentication stayed around and caused problems.
Have you also tried reconfigure your build machine?
To unconfigure:
tfsconfig.exe setup /uninstall:TeamBuild
and reconfigure through the wizard.
I will try once more ..., step by step :-)
FACT: When you register your build controller to a TFS project collection, being logged-in as TFS2010Build, an authentication dialog pops-up. This means that the TFS server does not accept TFS2010Build as an account that can be used to connect to your default collection on the TFS server.
FACT: When you register your build controller to a TFS project collection, being logged-in as TFS2010Install, no authentication dialog pops-up. This means that the TFS server does accept TFS2010Install as an account that can be used to connect to your default collection on the TFS server.
Apparently, because in both 1 and 2 your build controller is registered using the TFS2010Install account to the TFS server, either the controller or the server remembers these credentials and uses them to connect to the TFS server collection when the build controller is started, despite the fact that the service itself is running under the TFS2010Build account. This is a plausible situation and impersonation happens often this way for services. Maybe some TFS techie can either confirm or deny this behavior.
The question that remains for me: Why does the the default collection on the TFS server not accept the TFS2010Build account as a valid administrator?
Potential causes:
Read Jim Lamb's answer.
Something is wrong with the domain registration of the system or user used to connect the controller to the collection on the TFS server.
Fastest way to rid of the problem: Continue to install the secondary server that does not seem to have the problem, potentially experiment with using the TFS2010Build from this secondary server to see if the problem also occurs there.
A long aswer, but hopefully it gives you a big push in the right direction.
Sorry to hear that you're having problems getting this to work. Here are a couple of things you can check/try:
Make sure that the TFS2010Build user account is a member of the "Build Services" group in the TFS project collection you've associated it with.
If you install and configure the build service while logged in as a user who is a member of the Project Collection Administrators group on the associated project collection and is also a member of the local Administrators group on the build machine, all of the requisite permissions and other configuration will generally be set for you.
So, to summarize, the user configuring the build machine should be a member of the project collection administrators group and a member of the local administrators group. And, the user account the build machine is running as should be a member of the project collection's "build services" group.

When I install TFS 2010 what is the standard user name and password at /tfs?

I just installed TFS 2010. When I go to machine-name:8080/tfs on my web browser it asks for a user name and password. What is the standard user name and password? How do I set this?
It should accept all username/password combinations which are valid on the machine running TFS.
There is no default password thing. (could be that default installation only allows administrative login)
See MSDN for further information on configuring TFS 2010:
http://msdn.microsoft.com/en-us/library/ms252477.aspx
In My case it was all about firewall configuration, let me tell you what I was dealing with:
I checked out windows firewall and I saw that there was an exception for TFS But it was not enough, why? See following image:
As you can see, TFS has been excepted but not for Public
So you can tick the check box for Public or you can change your network location from Public to Home or Work, go to: Control Panel > Network and Sharing Center
Change Your network Location
Now you can simply use those Windows accounts you have and it will be accepted definitely.
Overview: What was default Username and Password again?
Assumption: You are using TFS in local network, Your own server your own client!
Short answer: As a simplest method, you should create a windows account, introduce it in TFS to grant permissions, then you can login by that account from wherever in your local network.
Long Answer:
Step1: Create one or more windows account(s), to do that, go to control panel -> User accounts -> manage another account (Create another account while you can use the account you already have) -> Create a new account ->Give it a name
Probably you may need to select administrator
Then select created account -> Create a password
Step 2:
Go to Web Portal for VS TFS 2015, click on team members (or click on the gear icon in the above bar, and go to security tab) Add -> Add windows user or group -> Browse for account you already created or simply type it to add it.
Step 3:
Go to web portal for Visual Studio Team Foundation Server 2015, through web browser by some address like http://user-pc:8080/tfs (which you can find it in your VS or TFS) just like
then you encounter a dialog box which asks you for username and password, give the credential it asks based on windows account you have created, if everything is OK and no problem with firewall it's done.
Finally:
You might see multiple users in windows welcome screen which seems annoying, to prevent windows from showing them in the welcome screen
Go to Computer -> Manage -> Local Users and Groups -> Users
double click on each one of them and remove their member of data (which is set to Users by default)
Thanks to THIS
There is none. Log in as admin on the machine. Then create a new project group etc. Define admins there (Domain integrated). Their usernames / paswords will work then.

Resources