azure-devopsazure-pipelinesazure-agent

Configuring devops agent error TF400813: The user 'user' is not authorized to access this resource. Failed to connect. Try again or ctrl-c to quit


Attempting to add an Agent for our On-Prem Azure DevOps to a new web server. Following the instructions here on microsoft's site. I have downloaded the zip file from my devops server and run the powershell commands specified on the download page:

PS C:\> mkdir agent ; cd agent
PS C:\agent> Add-Type -AssemblyName System.IO.Compression.FileSystem ; [System.IO.Compression.ZipFile]::ExtractToDirectory("$HOME\Downloads\vsts-agent-win-x64-2.153.1.zip", "$PWD")

Then I ran the config tool:

PS C:\agent> .\config.cmd

Following the instructions:

Enter the server url > https://tfs.domain.com/mycollection
Enter authentication type > Negotiate
Enter username > agentuser
Enter password > ******

Result:

TF400813: The user 'ORG\AgentUser' is not authorized to access this resource.
Failed to connect.  Try again or ctrl-c to quit

The user in question pilots other agents on different servers. I am an admin on the server and my account has the administrator rights for all the agent pools.

Is there some server permission that I'm not seeing in the documentation? Is it possible "Negotiate" is not a valid authentication method on this server? If so, how can I add it? Where would I look for a more specific error log?

Update More logging information (I found the agent log):

[2024-08-15 16:11:45Z WARN VisualStudioServices] Authentication failed with status code 401.
X-TFS-SoapException: 
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
    <soap:Body>
        <soap:Fault>
            <soap:Code>
                <soap:Value>soap:Receiver</soap:Value>
                <soap:Subcode>
                    <soap:Value>UnauthorizedRequestException</soap:Value>
                </soap:Subcode>
            </soap:Code>
            <soap:Reason>
                <soap:Text xml:lang="en">TF400813: Resource not available for anonymous access. Client authentication required.</soap:Text>
            </soap:Reason>
        </soap:Fault>
    </soap:Body>
</soap:Envelope>
[2024-08-15 16:11:45Z WARN VisualStudioServices] Windows issued token provider instance 43205102 requires an interactive prompt which is not allowed by the current settings
[2024-08-15 16:11:45Z ERR  VisualStudioServices] GET request to https://tfs.domain.com/mycollection/_apis/connectionData?connectOptions=1&lastChangeId=-1&lastChangeId64=-1 is not authorized. Details: TF400813: The user 'ORG\AgentUser' is not authorized to access this resource.

Solution

  • Ultimately I don't think I understood the assignment correctly and the instructions provided to me were either out of date or incorrect in the first place.

    I found new instructions which recommended using PAT instead of negotiate authentication and those worked perfectly and now both of my new agents are installed and humming. It's my opinion that the negotiate method would require me to enter MY username and password and not the agent account's username and password. That probably would have worked I am thinking. Because later in the installation I entered the agent account and everything worked just fine.