What account privleges should I give to my TFSBuild account? - tfs

I have a separate server that runs tfs build.
I created an account that will run the tfs build service.
I am getting an error because it says it can't access the drop folder.
what permissions do I have to give the tfs build service account? I believe it has to be apart of some tfs specific groups?
Update
I decided just to use the tfsservice account on the domain...
I added the TFSService account using LogonAs for the TFSBuild service, I am getting a 'could not start team foundation build service on local computer' Error 5 access is denied.
I am using mydomain/tfsservice as the account name.

Since the build is actually finishing except the final copy task, simply add the TFSBuild account to the drop location's folder for full control. This will expose the smallest portion of the fs as possible.

Related

Getting "ERROR 5 Getting File System Type of Destination" Access denied: suing TFS Windows Machine File Copy Task

I am new to TFS and i am trying to copy artifacts from my TFS server to a windows server using Windows Machine File Copy Task. But i am getting the following error.
"ERROR 5 Getting File System Type of Destination, Access denied". It is using Robocopy for achieving this.
I can remotely connect to the server and i have admin access. What am i missing here? Please help.
I can remotely connect to the server and i have admin access. What am
i missing here?
Azure DevOps/TFS is using build service account to run your build pipeline. The key point here is the build service just the same as account "I".
If not, you need to give same permission as "I" to that account.
Another way is changing your build service account to "I". This account is configured when you install build agent.
How to change it, you could refer my reply in this question: azure devops local agent pipeline permission denied
Hope it helps.

TFS Build Server gives service unavailable (503) message

I recently installed TFS 2015 on a new machine. I want to configure the same machine as our build server but i have massive trouble doing this. I neither can configure the new vNext-system nor can i configure an "old-style" xaml build server. As the build account i want to use the NT AUTHORITY\Network Service. For the xaml configuration i set "Execute service as" to NT AUTHORITY\Network Service and use the same account for the connection to the team foundation server.
But when i add a new controller and want to browse to custom assemblies, i get a "service unavailable" error. So i decided to test without the custom assemblies, added an build agent and created a new build-definition for a simple test project. I added a build to the queue and wait. Nothing happenend (in the build window) until after about 50 seconds an error was shown in the build window: Service Unavailable (Typ VssServiceResponseException).
Same for the new vNext builds. I downloaded the agent.zip from the web-frontend, opened the powershell and started configuring the build-agent. After waiting some minutes, the configuration aborted with.... service unavailable.
So i decided to test something different : instead of using the FQHN, i used localhost and - tataaa - it starts the agent, which is also shown green in the web-frontends agent-tab. So i created a new vNext-Build-Definition and added it to the queue, but it does not start, but shows the message : "waiting for console output from an agent".
So i decided to test it on a different pc : i downloaded the agent to my laptop and installed it, configuring the agent with it's FQHN. Without any problems the agent was started and i was able to start and run a build.
So the question is : Why am i'm not able to configure the build service on the tfs. I guess it has something to do with permissions, but i don't now, what permissions the network service account should have. I also tried it with a local account, but with the same result.
Any hints are very appreciated. Thanks in advance.
BTW: I can ping the FQHN from the command-line.
This is the output, after trying to add a vNext-agent via the powershell.
UPDATE:
I used the the servers IP-address instead of its name and it suddenly worked.
Take XAML build for example, to configure a Team Foundation Build Service, you must be a member of both the Windows Administrators security group on the server on which you are configuring Team Foundation Build Service and the Project Collection Administrators group on TFS.
According to the second paragraph, you can configure build controller and add build agent. Before queuing a build, you need to make sure the build controller and agent are in Ready status, sometimes relevant services are not yet fully available when you newly configure them or restart them.
Also, you may try to remove build service feature, and reconfigure it, to see whether you can solve the issue.

Trouble Setting Up Team Foundation Server 2015 Build Server

I'm setting up TFS 2015 for my team to try out, and I'm having trouble getting it off the ground. It sounded straightforward, but things don't work and I can't find any diagnostics, and tutorials don't match what I'm seeing. Some highlights:
When I go to download a Build Agent from the server, I don't get a PowerShell file (ConfigureAgent.ps1), I get ConfigureAgent.cmd.
The images and description of setting up the build controller show me a nice picture of the TFS Admin Console with a Build Controller and Build Agent and their statuses underneath 'Build' (see Team Foundation Server 2015 Builds will not start or https://msdn.microsoft.com/en-us/library/ms181712.aspx.) On my system, I see this display under XAML Build Config (the old way,) but the Build item in the console doesn't have anything like that. It has a link to download an agent, but installing an agent doesn't change this.
Installing the agent appears to work. I get a service that's running, and the web portal agrees that I have an agent in the default queue and pool.
But, queuing a build just sits there. I've found the _diag folder for the agent, which has logs with a bunch of "Message received, no message retrieved" lines. I can't find anywhere else to check if the server knows about this build.
The service account is Network Service, and I've tried putting it in every TFS group mentioned online regarding permissions.
My setup is TFS and VS 2015 installed on our build machine, with it also hosting the build agent. I'm on port 8079, because port 8080 is taken. It's got to be something silly I missed, because everything looks like it's working. Has anyone gotten this beast off the ground without coming from a pre-existing install?
The configureagent.cmd is the correct file (it does pretty much what he ps script did)
Make sure the account that the agent is run under is in the "Agent Pool Service Account" role. It is better to use a domain/machine account not a local service account.
Make sure the queue is provisioned in the collection ( https://your-tfs-server:8080/tfs/your-collection/_admin/_AgentQueue ). If not - select "New queue.." and select the existing queue.
Make sure that when setting up the build through web access, the demands (on the general tab) is met by the capabilities of the agent.
If all this is in place, I have found that it facilitates testing by running the agent in interactive mode (not as a service). This gives you a bit better insight into what is happening. When it is working you can configure it as a service again.
Use an actual service account, not NETWORK SERVICE, and make sure that service account is a member of the Build Service Accounts group in your Team Project.
For me the issue was that the IIS's Team Foundation Server site setting's Authentication, "Windows Authentication" had to be enabled.
I was using a windows user as the log in credentials for the Build Agent running as a service.
Remember this new build system uses all http now.
It does not talk to any tfs build controller.

Can't install TFS 2015 build vNext agent as a service

I'm looking at migrating our builds from the old XAML to the new build system, but I have a problem with configuring the build agent to run as a service.
Configuring the agent to run interactively (in my session on the build server) works. The builds are OK but this is not useable as I have to open a session and start the agent.
Configuring the agent to run as a service with the default NT AUTHORITY\NETWORK SERVICE works. The builds are broken. WiX doesn't like this account and fails during the ICE validation. The drop also fails because this account doesn't have access to the drop folder.
Configuring the agent to run as a service with a domain account fails. The service is not created and I get the following error:
Installing service vsoagent.tfs-server.tfs-build-server-agent1...
Creating EventLog source vsoagent.tfs-server.tfs-build-server-agent1 in log Application...
An exception occurred in the OnAfterInstall event handler of System.ServiceProcess.ServiceInstaller.
System.NullReferenceException: Object reference not set to an instance of an object.
The username and passwords are OK, I get a different "bad username or password" error when typing a bad password. The user was used for the old XAML build system on the same build server and is in the local admin group, so it has authorisations AFAIK.
I was running TFS 2015, I upgraded to 2015 update 1 then forced an agent update in the web interface. After that it works, I can configure the agent to run as a service using a domain account.
Agent.Version is still saying 1.83.2 in the web interface, but the files are actually different in the agent folder. An agent.old folder is left after the upgrade and you can see that VsoAgent.exe and VsoAgentService.exe have a different size and version. Also the agent.old folder has 138 files in 46 folders, but the agent folder has 157 files in 53 folders.
I Had the same issue with the WIX validation. But i did not try to reconfigure the agent (not due to problems,just due to pure laziness), instead i did just change the account to a domain account using the services overview. restarted the machine and everything did work fine.
To narrow down your issue:
1.Try to Configure the agent to run as a service with another domain account on another computer
2.If you need to change the logon account, don't do it from the services snap-in. Instead, From an elevated Command Prompt, run: C:\Agent\Agent\VsoAgent.exe /ChangeWindowsServiceAccount
update
If you upgrade your TFS2015 to TFS2015update1. Do not just use the simple update agent in the web interface. You need download the agent from web and reconfigure it in the cmd.

TFS2012 - Access denied on copying diagnostic activity logs

I have a problem with TFS2012 builds which I can't seem to figure out nor find any solution for.
Setup:
Separate SQL server, separate TFS Application server (TFSAT01 / WinSvr08R2) and separate build machine (TFSBLD01 / Win7x64).
Drop share created on TFSAT01 - R/W acess granted to the two computers in our domain: TFSAT01$ and TFSBLD01$ (According to #8 http://msdn.microsoft.com/en-us/library/bb778394.aspx)
The build controller is configured on the TFS app. server TFSAT01.
The build agents are running on the build machine TFSBLD01.
Problem:
My CI build does complete and does copy all binaries to the drop share.
But I keep getting one error under Other Errors and Warnings in the build output window which says: "An error occurred while copying diagnostic activity logs to the drop location. Details: Access to the path '\TFSAT01\Drops\PRODUCT-CI\PRODUCT-CI_20130211.16\Logs\ActivityLog.xml' is denied.". The ActivityLog.xml is indeed written and I can access it.
Any ideas to why I get this error even though it seems that the share is configured with the proper access rights?
Note:
I can get around this error by specifying a user-account for the build agent to use (also with R/W access rights to the drop share) - but I would rather if I could stick with the default NetworkService credentials used by the build controller and agents.
Adding in resolution based on discussion in the comments
The build controller account needs to have R/W permissions on the drop location. The TFSAT01$ account was provisioned here while the build controller was configured as network service. Since these are not really the same account providing R/W permissions to NT AUTHORITY\NETWORK SERVICE is the required fix.
The build controller must run under the same account which has R/W permissions on drop location. I recommend to use same user account for build agents and build controller.
On TFS build controller, right click on the XAML Build Configuration > [your build service]
Click on "Stop the service"
Click "change" button under Run service as: section
Use a user who has access to both TFS repository & the drop location.
p.s. using TFS 2015

Resources