tfstfs-2010

Team Foundation 2010, Build Server Cannot start


When I try to start Build Service from Administration Console I receive

TFSBuildServiceHost failed to start correctly

and the event log reports

Service cannot be started. Microsoft.TeamFoundation.TeamFoundationServerUnauthorizedException: TF30063: You are not authorized to access http://localhost:8080/tfs/defaultcollection.

My build configuration settings are as follows

Connect to Team Project Collection (outgoing) : http://localhost:8080/tfs/defaultcollection Local Build Service Endpoint (incoming) : http://localhost:9191/Build/v3.0/Services

Run Build Service As : Windows Service

Credentials : NT AUTHORITY\NetworkService

I have a default Build Controller and 1 Build Agent, with working Directory $(SystemDrive)\Builds$(BuildAgentId)$(BuildDefinitionPath). Both are enabled

My Security Setting are as follows

Application Tier > Service Account : NT AUTHORITY\LOCAL SERVICE

Team Project Collections > DefaultCollection > Group Memeberships > [DefaultCollection]\Project Collection Build Service Accounts : Contains NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\SYSTEM

IIS > Sites > Team Foundation Server > tfs : Contains NT AUTHORITY\NETWORK SERVICE (full control)

C\Builds\ : Contains NT AUTHORITY\NETWORK SERVICE (full control)

C:\Program Files\Microsoft Team Foundation Server 2010\Application Tier : Contains NT AUTHORITY\NETWORK SERVICE (full control)

So I am not sure what else I am missing?


Solution

  • I managed to get this problem resolved by reinstalling TFS (not ideal).

    The short answer, I think, to resolve this is to follow the steps for changing the Build Service Account, instead.

    http://msdn.microsoft.com/en-us/library/bb909750(v=vs.90).aspx

    It appears the problem was that I did not pay close enough attention during the Build Service Configuration stage of the installation, in particularly the health check step, which gave a warning that the specified service account, under which the Build Service would execute, must be added to Windows Credentials Manager. The warning further stated that, if I chose to use the current interactive user (i.e. my account, instead of an account I specially created for the Build Service) that the installation could do this for me, otherwise I would have to do it manually. Since I had already wasted two days on this, I chose to use my account instead and let the installation perform the necessary security setup, luckily !! since it appears that, adding the account to Windows Credential Manager is not the only thing you have to do, nor is any other seemingly logical thing, such as adding the account to the Team Project or Project Collection. I subsequently tried to manually change the account to a dedicated TFS user account, by assigning it to the Build Service, added it to Windows Credentials Manager and Team Project Collection, but no luck. I think the problem is that the account must also be specified for the WCF end points that TFS exposes to allow the build service to connect to it and I think this can be done through wcfhttpconfig.exe as mentioned in the link.