Team System Developer Center >
Visual Studio Team System Forums
>
Team Foundation Server - General
>
TFS Service account permissions required on build servers?
TFS Service account permissions required on build servers?
- Hello,
We've run into this a few times. Our "poor" solution is to make the TFS Service acct a local admin on dedicated build servers. I don't believe this is the recommended solution, so I'm looking for the minimum permissions to make it work.
Domains, accounts, and servers involved:
Developers work in a domain let's call it "corp.com" or "corp"
We have a two-tier TFS server 2008 SP1 in a sub-domain let's call it "sub.corp.com"
Dedicated build servers in "corp.com" - one per project.
The tfs service account "CORP\TFS_Service"
Any number of build service accounts - one per project to avoid widespread outages if one is locked out.
Several build servers are running and working fine. On these servers, we've promoted TFS_Service to local admin on the build server.
Where we haven't granted TFS_Service any permissions to the build server, we ONLY SOMETIMES have this issue during a build (names substituted):
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 537
Date: 10/26/2009
Time: 5:01:00 PM
User: NT AUTHORITY\SYSTEM
Computer: BUILDSERVER
Description:
Logon Failure:
Reason: An error occurred during logon
User Name: TFS_Service
Domain: CORP
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: TFSAPPSERVER
Status code: 0xC000005E
Substatus code: 0x0
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: -
Source Port: -
So it appears that the tfs app server is trying to login to the build server using the TFS_Service account. Rather than add TFS_Service as a local admin to the build server, what's the real requirement? I've reviewed install docs and can't find the answer.
thanks
Answers
- In the TFS installation guide, under the section "Installing Team Foundation Build - Specifying a service account for team foundation build", it's stated (twice) that if you're running tests as a part of the builds, then the user account running the service must be granted local administrator permissions; so in that case it's better to use a different acount instead of TFS_Service.
I'm not sure but if I think it's because TFS app server publishes test results as a part of the build process.
Hope it helps...
Best regards- Marked As Answer byBradIsley Wednesday, October 28, 2009 1:58 PM
All Replies
- In the TFS installation guide, under the section "Installing Team Foundation Build - Specifying a service account for team foundation build", it's stated (twice) that if you're running tests as a part of the builds, then the user account running the service must be granted local administrator permissions; so in that case it's better to use a different acount instead of TFS_Service.
I'm not sure but if I think it's because TFS app server publishes test results as a part of the build process.
Hope it helps...
Best regards- Marked As Answer byBradIsley Wednesday, October 28, 2009 1:58 PM
- True! I had a vague memory of this but couldn't find it.
thanks much
