TFS 2010 - Why am I getting "TF30063 You are not authorized to access.." error when impersonating?

Question

I am attempting to create a bug in TFS2010 by impersonating a user but always get

"TF30063 You are not authorized to access.."

I first authenticate using a service account and then attempt to impersonate a separate user account. I can successfully create Work Items using either account both programmatically and in the web UI. However, when I try to create the Work Item used an impersonated account (either way around) I always get this error. My code is:

public int Save(List<KeyValuePair<string, string>> values, ticketType type,string user)
    {
        // get the Uri to the project collection to use
        Uri  tfsuri = new Uri("http://94.23.12.119:8085/tfs");            

        // get a reference to the team project collection (authenticate as generic service account)
        using (var tfs = new TfsTeamProjectCollection(tfsuri, new System.Net.NetworkCredential("username", "password", "servername")))
        {
            tfs.EnsureAuthenticated();

            //Now get the details of the user we want to impersonate
            TeamFoundationIdentity identity = GetImpersonatedIdentity(tfsuri,tfs,user);

            //Now connect as the impersonated user
            using (TfsTeamProjectCollection ImpersonatedTFS = new TfsTeamProjectCollection(tfsuri, identity.Descriptor))
            {
                ImpersonatedTFS.EnsureAuthenticated();
                var workItemStore = GetWorkItemStore(ImpersonatedTFS);

                // create a new work item
                WorkItem wi = new WorkItem(GetWorkItemType(type, workItemStore));
                {
                    //Values are supplied as a KVP - Field Name/Value
                    foreach (KeyValuePair<string,string> kvp in values)
                    {
                        if (wi.Fields.Contains(kvp.Key))
                        {
                            wi.Fields[kvp.Key].Value = kvp.Value;
                        }
                    }

                    ValidationResult = wi.Validate();                       
                }

                if (ValidationResult.Count == 0)
                {

                    wi.Save();
                    return wi.Id;
                }
                else
                { 
                    return 0;
                }
            }
        }

    }

It successfully gets the impersonated identity but falls over on

ImpersonatedTFS.EnsureAuthenticated();

Both accounts have the 'Make requests on behalf of others' permission set.

Answer 1

First let me clarify one thing first. It seems your application is a server application, in which case there is no value in using EnsureAuthenticated(). It is just a performance tuning trick to help UI/desktop clients.

Now back to your main issue: - If your application works as expected when you access locally but fails when you access remotely, then please read on, otherwise this is not the solution for you.

The reason it is failing is because the SPN needs to be added to the service account on the active directory. It is necessary for Kerberos authentication to take place.

This is something that TFS team needs to explain because many developers will forget about it while focusing at the job it hand. Hope this helps.

To learn more about SPN's and Kerberos fundamentals, check out these resources:

• Kerberos for the busy admin.
• Introduction to Kerberos SPN

I hope this helps.

Thanks!