I'm trying to build an ASP.NET page that adds a work item in TFS.
I have enabled impersonation and Windows authentication:
<authentication mode="Windows" />
<identity impersonate="true" password="" userName="" />
<customErrors mode="Off" />
In the page, I access TFS and try to add a work item:
TfsTeamProjectCollection prjCollection = TfsTeamProjectCollectionFactory.GetTeamProjectCollection(new Uri("xxx"));
WorkItemStore store = prjCollection.GetService<WorkItemStore>();
...
However, it only works when I select SpecificUser in ASP.NET Impersonation and store the credentials. It doesn't work when the Authenticated user is selected.
I've checked that the SpecificUser is the same as the Authenticated one, but I get permission errors in the latter case (which indicates that the impersonation doesn't work correctly).
TF30063: You are not authorized to access XXX. ---> System.Net.WebException: The remote server returned an error: (401) Unauthorized.
at System.Net.HttpWebRequest.GetResponse()
at Microsoft.TeamFoundation.Client.TeamFoundationClientProxyBase.AsyncWebRequest.ExecRequest(Object obj)
--- End of inner exception stack trace ---
at Microsoft.TeamFoundation.Client.TeamFoundationClientProxyBase.ProcessHttpResponse(HttpWebResponse response, Stream responseStream, WebException webException, XmlReader& xmlResponseReader)
at Microsoft.TeamFoundation.Client.TeamFoundationClientProxyBase.ExecWebServiceRequest(HttpWebRequest request, XmlWriter requestXml, String methodName, HttpWebResponse& response)
at Microsoft.TeamFoundation.Framework.Client.LocationWebService.Connect(Int32 connectOptions, ServiceTypeFilter[] serviceTypeFilters, Int32 lastChangeId)
at Microsoft.TeamFoundation.Framework.Client.FrameworkServerDataProvider.Connect(ConnectOptions connectOptions)
at Microsoft.TeamFoundation.Framework.Client.FrameworkServerDataProvider.EnsureConnected(ConnectOptions optionsNeeded)
at Microsoft.TeamFoundation.Framework.Client.FrameworkServerDataProvider.get_InstanceId()
at Microsoft.TeamFoundation.WorkItemTracking.Client.WorkItemStore.InitializeInternal()
at Microsoft.TeamFoundation.Client.TfsTeamProjectCollection.InitializeTeamFoundationObject(String fullName, Object instance)
at Microsoft.TeamFoundation.Client.TfsConnection.CreateServiceInstance(Assembly assembly, String fullName)
at Microsoft.TeamFoundation.Client.TfsConnection.GetService(Type serviceType)
at Microsoft.TeamFoundation.Client.TfsConnection.GetService[T]()
at ASP.index_aspx.__Render__control1(HtmlTextWriter __w, Control parameterContainer)
The following variables look the same for both cases:
HttpContext.Current.Request.LogonUserIdentity.Name
HttpContext.Current.Request.IsAuthenticated
HttpContext.Current.User.Identity.Name
System.Environment.UserName
System.Security.Principal.WindowsIdentity.GetCurrent().Name
Any ideas?
EDIT:
Indeed, as John mentioned below, the issue is caused by Kerberos Delegation.
I've found the following article and accompanying tool very useful in explaining and mitigating this:
DelegConfig - A Tool To help resolve Kerberos authentication and delegation issues
I think you may have a "double hop" problem.
Based on this article, it's worth a shot to add EnsureAuthenticated();
TfsTeamProjectCollection prjCollection = TfsTeamProjectCollectionFactory.GetTeamProjectCollection(new Uri("xxx"));
prjCollection.EnsureAuthenticated();
WorkItemStore store = prjCollection.GetService<WorkItemStore>();
I haven't ever tried this, so I can only hope it 'll work.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With