azure-devops

How to resolve error TF401444 in PublishSymbols step in Azure DevOps build

In Azure DevOps, I started getting this error in a build step which uploads symbols to a symbol server:

[Symbol App][ERROR]   2025-02-19T20:33:27.1481800+00:00  Microsoft.VisualStudio.Services.Common.VssServiceException: TF401444: Please sign-in at least once as [guid]\[guid]\[guid] in a web browser to enable access to the service.

Where should I sign into? As what? How often would I need to do this manual step for an automated build process?

This is the YAML of the build step:

- task: PublishSymbols@2
  displayName: 'Publish symbols (*.pdb) to symbol server'
  inputs:
    ConnectedServiceName: '[my service connection name]'
    SymbolsFolder: '$(Build.SourcesDirectory)/[my build directory]'
    SearchPattern: '*.pdb'
    IndexSources: false
    SymbolServerType: TeamServices

Possibly relevant: I recently changed the build to use a new service connection that uses workload identity federation. I'm not 100% sure that's the issue, because it did build successfully with the new service connection for several months, and if I now try to switch back to the older service connection (just for this failing step), it still fails.

This answer suggests using an environment variable, but that isn't available for this task.

Solution

  • Based on the error message, the app registration of your service connection can't access DevOps. I can't reproduce the same error. Share my working steps for your reference.

    1. Create an ARM service connection with workload identity federation authentication type.
    2. Add the app registration created by ARM service connection to the organization user list. You can find the app registration by clicking "Manage App registration" in your service connection page. enter image description here
    3. Add this app registration to the Contributors group of the target project. enter image description here
    4. Then use it in PublishSymbols@2 task and it works without any issue. enter image description here

    By the way, when SymbolServerType is TeamServices, the symbol will be uploaded to build artifact, there is no need to use service connection for authentication. You can directly remove ConnectedServiceName parameter from the task.