When I try to start Build Service from Administration Console I receive
TFSBuildServiceHost failed to start
correctly
and the event log reports
Service cannot be started.
Microsoft.TeamFoundation.TeamFoundationServerUnauthorizedException:
TF30063: You are not authorized to
access
http://localhost:8080/tfs/defaultcollection.
My build configuration settings are as follows
Connect to Team Project Collection
(outgoing) :
http://localhost:8080/tfs/defaultcollection
Local Build Service Endpoint
(incoming) :
http://localhost:9191/Build/v3.0/Services
Run Build Service As :
Windows Service
Credentials :
NT AUTHORITY\NetworkService
I have a default Build Controller and 1 Build Agent, with working Directory $(SystemDrive)\Builds$(BuildAgentId)$(BuildDefinitionPath). Both are enabled
My Security Setting are as follows
Application Tier > Service Account : NT AUTHORITY\LOCAL SERVICE
Team Project Collections > DefaultCollection > Group Memeberships > [DefaultCollection]\Project Collection Build Service Accounts : Contains NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\SYSTEM
IIS > Sites > Team Foundation Server > tfs : Contains NT AUTHORITY\NETWORK SERVICE (full control)
C\Builds\ : Contains NT AUTHORITY\NETWORK SERVICE (full control)
C:\Program Files\Microsoft Team Foundation Server 2010\Application Tier : Contains NT AUTHORITY\NETWORK SERVICE (full control)
So I am not sure what else I am missing?
I managed to get this problem resolved by reinstalling TFS (not ideal).
The short answer, I think, to resolve this is to follow the steps for changing the Build Service Account, instead.
http://msdn.microsoft.com/en-us/library/bb909750(v=vs.90).aspx
It appears the problem was that I did not pay close enough attention during the Build Service Configuration stage of the installation, in particularly the health check step, which gave a warning that the specified service account, under which the Build Service would execute, must be added to Windows Credentials Manager. The warning further stated that, if I chose to use the current interactive user (i.e. my account, instead of an account I specially created for the Build Service) that the installation could do this for me, otherwise I would have to do it manually. Since I had already wasted two days on this, I chose to use my account instead and let the installation perform the necessary security setup, luckily !! since it appears that, adding the account to Windows Credential Manager is not the only thing you have to do, nor is any other seemingly logical thing, such as adding the account to the Team Project or Project Collection. I subsequently tried to manually change the account to a dedicated TFS user account, by assigning it to the Build Service, added it to Windows Credentials Manager and Team Project Collection, but no luck. I think the problem is that the account must also be specified for the WCF end points that TFS exposes to allow the build service to connect to it and I think this can be done through wcfhttpconfig.exe as mentioned in the link.
Related
We currently have upgraded our Team Foundation Server 2015 to Team foundation server 15, RC1.
But i cannot get our existing or new build agents running. The error we got is always the same.
No agent pool found with identifier 1 (or 2, ....).
I have checked the database and there is an agent pool with that ID.
Any idea anyone?
thanks.
If the build agent pool definitely exists, but the error is can't find the agent pool. Then the issue is very likely related to permissions.
When configuring the build agent(new created or existed), you need to make sure the account which running the configure command or script have enough permission.
The user account needs to be part of the Agent Pool Administrator Accounts.
Update
Try below ways to narrow down the issue:
First check in that if the build server is available and enabled in
TFS at https://YOURCOMPANYNAME:8080/tfs/_admin/_AgentQueue, and
your build agent should be “Green”.
Make sure the agent is in interactive mode.
Try to change a domain account which is a member of the Build
Agent Service Accounts group and belongs to "Agent Pool Service
Account" role, to see whether the agent would work or not.
Double check whether there are some Firewall interface block the
build, try to disable all related settings.
Update 2
Browse the Control Panel - Team Project Collection - Team Project- Agent queues- click agent pool - Roles- click Add... - Add your user ID and select Administrator in Role
After this try again.
Thanks for your time, however the issue is solved with Microsoft support.
It turned out that my default access level was stakeholder, while build permissions are in the basic. So i had to change the default access level to Basic.
That's obvious a bug in the new RC1, but like you said, it was some kind of a permission issue.
thanks again.
I had the exact same thing: an existing build server, which was working until somebody upgraded it. Error message in the .\BuildAgent_Diag\ folder kept saying
Failed to create session. Sleeping for 10 seconds before next retry
----------------------------------------
Microsoft.TeamFoundation.DistributedTask.WebApi.TaskAgentPoolNotFoundException: No agent pool found with identifier 7.
I already had the service running as a domain account with "build admin" permissions.
The solution was to run 'ConfigureAgent' again: Open a command prompt as administrator. Change directory to your 'BuildAgent' folder (or where ever your 'ConfigureAgent.cmd' file is located) and run 'ConfigureAgent.cmd'. It will ask a few questions. I stayed with the current settings. I had to enter the password for the service account. Eventually the wizard completed and everything worked again.
I am trying to connect my Deployment agent to RM client from different domain. I created a shadow account and all other .Still it is not working. I am able to connect with same domain. My RM client and server is in same machine (VM). and my deployment agent is in different workgroup domain.(everything is in VM's) I am getting below error from the log file.
Created Nt account for user RM.user1
Found Sid S-1-5-21-2704102820-366803756-3152234569-1011 for user RM.user1
Is RM.user1 network service account? False
Created Nt account for user RM.user1
Found Sid S-1-5-21-2704102820-366803756-3152234569-1011 for user RM.user1
Is RM.user1 local system account? False
Domain:
Final UserName: SVWP500\RM.user1.
Loading account details for SVWP500\RM.user1
Is SVWP500\RM.user1 local machine account? True
Normalized account is SVWP500\RM.user1 and Sid is S-1-5-21-2704102820-366803756-3152234569-1011
Validating account to use as identity for Release Management Services...
IsAdminAccount : Trying to determine if the account : SVWP500\RM.user1 is an admin on the local machine
IsAdminAccount : Trying to determine if the account : SVWP500\RM.user1 is an admin on the local machine
User SVWP500\RM.user1 is system, Admin
Validated account to use as identity for Release Management Services.
Validating Release Management Server for Team Foundation Server 2013....
ServiceUserIsServiceUser="1" InstallerUserIsReleaseManager="1" />, Release Management Server for Team Foundation Server 2013 validation succeeded.
Received Exception : System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
at System.Security.Cryptography.Utils.SetKeySetSecurityInfo(SafeProvHandle hProv, CryptoKeySecurity cryptoKeySecurity, AccessControlSections accessControlSections)
at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle)
at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()
at Microsoft.TeamFoundation.Release.CommonConfiguration.Helpers.CryptoHelper.<.ctor>b__2(CspParameters container)
at Microsoft.TeamFoundation.Release.CommonConfiguration.Helpers.CryptoHelper.ConfigureDeployerCryptoKey(String userName)
at Microsoft.TeamFoundation.Release.CommonConfiguration.DeployerConfigurationManager.Configure()
at System.ComponentModel.BackgroundWorker.WorkerThreadStart(Object argument)
Work completed for GetConfiguration() call : got out of turn error
Please help on this.
Looks like the account you are using to register the deployment agent hasn't got the permission to access to release management. Because next step after Team Foundation Validation is updating deployment configuration.
I, 2015/02/13, 08:25:54.156, Release Management Server for Team Foundation Server 2013 validation succeeded.
I, 2015/02/13, 08:25:54.236, Updating Microsoft Deployment Agent 2013 configuration settings...
V, 2015/02/13, 08:25:54.238, Successfully read Release Management deployer registry key, installation path is C:\Program Files (x86)\Microsoft Visual Studio 12.0\Release Management\
V, 2015/02/13, 08:25:54.251, Opening configuration file C:\Program Files (x86)\Microsoft Visual Studio 12.0\Release Management\bin\Microsoft.TeamFoundation.Release.Data.dll.config
I have a similar step up and below are the steps I did to make it work in my environment
Create a local user (RMServer) on both DomainA\RMServer & DomainB\DeploymentAgentServer machines. Add the users to administrators group
Create a local user (DeployAgent) on both DomainA\RMServer & DomainB\DeploymentAgentServer machines. Add the users to administrators group
From Release Management client add .\RMServer account and grant both "Service User" and "Release Manager"permissions (please note on windows account test box don't use machinename\user, just add .\user)
From Release Management client add .\DeployAgent account and grant "Service User" (please note on windows account text box don't use machinename\user, just add .\user)
Install the Deployment Agent on DomainB\DeploymentAgentServer as DeployAgent user (created in step 2)
I was using the Microsoft & Wouter de Kort blog
BEFORE: I had a TFS 2010 on a temporary test environment set up with a project and I had web users and everything worked great.
NOW: I've installed it on a permanent environment (same O/S, domain, everything) but any permissions I set no longer seem to have any effect.
It seems only the service account can access any features.
Authentication is NTLM.
Any network users I give access to are either being asked for their credentials to connect to the server and being rejected regardless (they can connect to the default IIS fine) or they get:
500 - Internal server error.
There is a problem with the resource you are looking for, and it cannot be displayed.
Ridiculous, but the problem is that the new install was on the E: not the C: so the local NETWORK SERVICE account (that I use as a service account for TFS) did not have access to the files/folders under \Program Files\Microsoft Team Foundation Server 2010\
After DCpromoing and then demoting the server that TFS runs on, we cannot use WSS ("Cannot connect to the configuration database") to manage team projects. I believe that if I could find the default permissions that are set up when TFS is first installed on a server that is joined to a domain - in terms of any service accounts that are created and which accounts various services should run as - I would be able to get it back up and running again. Does anybody know the default NT accounts and permissions for Team Foundation Server?
That error sounds like a SharePoint error. This technet article outlines the permissions (server, SQL, registry) that are required for a default WSS install.
I'm trying to install Team Build (2008) on a different Build Server (BS) to the Application Tier (AT). BS is a 32-bit Windows 2008 server (as is the AT). They are on a corporate domain.
The EXE in question is
C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\PrivateAssemblies>
TFSBuildService.exe
The service on BS cannot start - the error is "Windows could not start the Visual Studio Team Foundation Build service on Local Computer\r\nError 5: Access is denied.". There is NO additional information in the Event Log. It is set to run as DOMAIN\TFSSERVICE account, which is also added to the Local Administrators group. It fails very quickly.
When I try to run it 'interactively' - the error on the command line is "Program too big to fit in memory".
It seems to me like this should be a fairly simple thing to set-up and use. What am I missing?
Notes:
I got my .config from Buck. I'm pretty sure I've correct set the ports, Windows Firewall rules
I can access the web services on AT from BS via Internet Explorer (using the DOMAIN\TFSERVICE login)
I've added DOMAIN\TFSSERVICE user to a TFS project's Build Services group
I have checked DOMAIN\TFSSERVICE has full permissions on pretty much everything on the Build server.
Try this:
Associate the default port to the new build service account using the wcfhttpconfig.exe command-line tool located in the following folder:
C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\PrivateAssemblies
Execute (from the folder above):
wcfhttpconfig.exe reserve DOMAIN\UserAccount 9191
Full credit from the following post:
http://wesmacdonald.spaces.live.com/Blog/cns!25108A9ADA96C9D7!1553.entry
I suggest you should set up a dedicated TFSBUILD account and not use the TFS Service account for this task as a best practice.
OK, the fact that you can access web services using the TFSSERVICE account from BS through to AT is a good thing, I am making the assumption you have created a LOCAL account on the BS machine for the TFSSERVICE account?
If not, please:
add a LOCAL account with the same name as DOMAIN\TFSSERVICE.
ensure that the password matches that of the DOMAIN\TFSSERVICE account.
ensure that account has "log on as a service" right under Local Security Policy.
Please read article: http://social.msdn.microsoft.com/Forums/en-US/tfsbuild/thread/d519b8e3-451a-4f07-97b1-e2943c2756c2
My issue was that my passwords for the AT and BS machine had to MATCH on the same domain. Please double-check that the TFSSERVICE account password matches on both the AT and BS machine, as the service will use impersonation when on the same domain.