Windows Service user account trouble for TFSBuildServiceHost.exe

Question

Experienced a very strange problem today on our TFS2010 build server. Suddenly the build service failed for no apparent reason. We´re been trouble shooting it all day, but still haven´t found the reason yet.

One of the problems is that the build service is (or should!) running under an AD user called tfs2010build. However when I try to start the service, i get the following error

Service cannot be started. Microsoft.TeamFoundation.TeamFoundationServerUnauthorizedException: TF30063: You are not authorized to access http://tfs2010:8080/tfs/default. ---> System.Net.WebException: The remote server returned an error: (401) Unauthorized.

When I look in the event log on the TFS2010 server, I see that the failed authentication is registered for a user called TFS2010Install, which was used to install everything. I´ve tripple checked and the service is specified as to be running under TFS2010Build.

Log from TFS2010 server:

Account For Which Logon Failed:
Security ID:        NULL SID
Account Name:       TFS2010INSTALL
Account Domain:     LC

So my question is how is this possible. COuld the user TFS2010Build some how be impersonated by TFS2010Install? I ve tried to install an additional build server and here there´s no problem starting the service under the user TFS2010Build - hence it is not a problem with AD or TFS user rights.

Hope you guys can help out!

/Jasper

!! Updated with some screen shots. Build server is TFS2010BIULD and the TFS server is TFS2010

Link to full size

Screen shot of non working build server TFS2010Build

Screen shot of working build server TFS2010Build1

!!New Update

I've managed to get the Build service to run under the TFS2010Build user account (which was actually the initial state, when the problem started). When I queue builds to this controller and agent, i get the follwing in the build log:

TF215097: An error occurred while initializing a build for build definition \PlanteIT_MarkOnline_Scrum\CI_Main_FieldOnlineClient: TF215106: Access denied. LC\TFS2010INSTALL needs Update build information permissions for build definition CI_Main_FieldOnlineClient in team project PlanteIT_MarkOnline_Scrum to perform the action. For more information, contact the Team Foundation Server administrator.

It still insist that TFS2010Install user account is running the service, despite that TFS2010Build is used for the build service. Any ideas?

Answer 1

This is a stab in the dark, can you try clear the TFS client cache and your internet cache on your troubled build machine under the Tfs2010Build account? I've never seen this issue before but maybe some stale cached TfsProjectCollection object with TFS2010Install authentication stayed around and caused problems.

Have you also tried reconfigure your build machine?

To unconfigure: tfsconfig.exe setup /uninstall:TeamBuild

and reconfigure through the wizard.

Answer 2

I will try once more ..., step by step :-)

1. FACT: When you register your build controller to a TFS project collection, being logged-in as TFS2010Build, an authentication dialog pops-up. This means that the TFS server does not accept TFS2010Build as an account that can be used to connect to your default collection on the TFS server.

2. FACT: When you register your build controller to a TFS project collection, being logged-in as TFS2010Install, no authentication dialog pops-up. This means that the TFS server does accept TFS2010Install as an account that can be used to connect to your default collection on the TFS server.

3. Apparently, because in both 1 and 2 your build controller is registered using the TFS2010Install account to the TFS server, either the controller or the server remembers these credentials and uses them to connect to the TFS server collection when the build controller is started, despite the fact that the service itself is running under the TFS2010Build account. This is a plausible situation and impersonation happens often this way for services. Maybe some TFS techie can either confirm or deny this behavior.

The question that remains for me: Why does the the default collection on the TFS server not accept the TFS2010Build account as a valid administrator?

Potential causes:

1. Read Jim Lamb's answer.

2. Something is wrong with the domain registration of the system or user used to connect the controller to the collection on the TFS server.

Fastest way to rid of the problem: Continue to install the secondary server that does not seem to have the problem, potentially experiment with using the TFS2010Build from this secondary server to see if the problem also occurs there.

A long aswer, but hopefully it gives you a big push in the right direction.