TFS Service Authentication (TF30063)


I have some custom and third-party services (SFTS: Scrum for Team System) attached to my TFS 2010 server and began to get the following error in the event logs as the services failed.

Error: ‘TeamFoundationServerUnauthorizedException’
TF30063: You are not authorized to access http://%5BSERVER URL]:8080/tfs/[COLLECTION NAME].
     at Microsoft.TeamFoundation.Client.TfsConnection.ThrowAuthorizationException(Exception e)
     at Microsoft.TeamFoundation.Client.TfsConnection.UseCredentialsProviderOnFailure(Action action)
     at Conchango.TeamSystem.SubscribedEventHandler.Services.ServerConnectionService.ConnectToServer(String connectionString)

The effect that I was seeing was that the services appeared to be working just fine, but when they were attempting to write the results into work items, the server would stop the write claiming that the service did not have sufficient permissions to write to the system.  Since the service was impersonating an administrator on the TFS system, I knew this wasn’t the case, but still…  FAIL!

Following the steps in KB926642 got me through the issue allowing the server to reference itself using the FQDN and everything was working again.

http://support.microsoft.com/kb/926642

Method 1 (recommended): Create the Local Security Authority host names that can be referenced in an NTLM authentication request

// To do this, follow these steps for all the nodes on the client computer:

  1. Click Start, click Run, type regedit, and then click OK.
  2. Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
  3. Right-click MSV1_0, point to New, and then click Multi-String Value.
  4. In the Name column, type BackConnectionHostNames, and then press ENTER.
  5. Right-click BackConnectionHostNames, and then click Modify.
  6. In the Value data box, type the CNAME or the DNS alias, that is used for the local shares on the computer, and then click OK.

    Note Type each host name on a separate line.

    Note If the BackConnectionHostNames registry entry exists as a REG_DWORD type, you have to delete the BackConnectionHostNames registry entry.

  7. Exit Registry Editor, and then restart the computer.
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s