how to log on my build machine with build service accout?

Question

Hello,

I got an error while do team build with TFS 2010, see below:

C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\Microsoft.Common.targets (1970): Cannot import the following key file: afx.pfx. The key file may be password protected. To correct this, try to import the certificate again or manually install the certificate to the Strong Name CSP with the following key container name: VS_KEY_AC90202AC4733F98

I searched information from internet. I got a solution is that I need to log in build machine with TFS Build Service Account. when I tried to add build service account as an adminstrator to build machine, I cannot find it, the accout is "NT AUTHORITY/NetworService". So is there anyone let me know how can I log on my build machine with build service accout?

I appreciate your help very much.

Answer 1

No, you are not going to be able to log in as NetworkService. It's one of those special account - like LocalSystem - that's for running services only.

Have you tried creating the key container in the machine certificate store?

---

DevBiker (aka J Sawyer)
Microsoft MVP - Sql Server (StreamInsight)

---

---

If I answered your question, please mark as answer.
If my post was helpful, please mark as helpful.

Answer 2

Hello DevBiker,

Thanks much for your reply.

actually, when I compiled my project, it works both in my PC and build machine. The problem only happened while do team build with TFS.

I used the command line below to install the pfx in build machine, but the team build still does not work.

sn -i afx.pfx VS_KEY_AC90202AC4733F98

any idea?

thanks,

Answer 3

It sounds like it is in the personal certificate store, rather than the machine certificate store. For NetworkService to use it, it needs to be in the machine (computer) certificate store.

See this article for info on how to view the certificate stores - and control which store you use.

---

DevBiker (aka J Sawyer)
Microsoft MVP - Sql Server (StreamInsight)

---

---

If I answered your question, please mark as answer.
If my post was helpful, please mark as helpful.

Answer 4

Hello DevBiker,

Thanks for your reply.

I used that article to import my .pfx into both service account and computer account. it still got the same error while do team build. what I am think is whether the build service account has no access to my .pfx in build machine. But I donot know how to grant its permission. can you help?

Thanks

Answer 5

Hi Panchen, 

Thanks for your post.

Yes, you should give the access permission for Build Service account to access that .pfx file on build agent file. Please logon your build agent machine using TFS Build Service account, then to import the AsemblySign.fpx on build agent machine using TFS Build Service account, after import completely, I think the TFS Build Service account will has permissions to access it on build agent machine. Then try build solution again.

---

John Qiao [MSFT]
MSDN Community Support | Feedback to us

Answer 6

Hello John,

Thanks for your answer.

would you please let me know how can I log on build agent with TFS Build Service account? I tried but cannot add the account as an adminstrotor, because I cannot find it in user accout.

Cheers,

Answer 7

Hi Panchen, 

Thanks for your reply.

Can you find the TFS_BUILD_SERVICE_WPG group in your build agent machine, I think the build service account in this group.

---

John Qiao [MSFT]
MSDN Community Support | Feedback to us

Answer 8

Hello John,

much thanks for your reply.

I found the TFS Build account in build machine, see screenshot below. But how can I log in to build machine with the account. I contact our IT apartment to add it as an admistrator but he said he cannot do that. He ask is there an abbreviate and password of this account, otherwise he also cannot log in the build machine with this build account

thanks

Answer 9

Hi Panchen, 

Thanks for your reply.

We usually use the domain account as the Build Service account, and this account should as the administrator(in the local Administrators group) on build machine.  

---

John Qiao [MSFT]
MSDN Community Support | Feedback to us

Answer 10

Hello John,

Thanks much for your reply.

The just added NetWORK SERVICe into administrator. In my login dialog which user account and password I need to enter. I do not know how to process it. Can I use the account "Adminstrator" to log in and then install .pfx file.

if this still cannot solve the problem, can you let me know how can I disable the digital certification in team build so that I can ignore this step. I believe it can be done to revise the template.

thank,

pan,

Answer 11

Question ... is this for a strong name?

If so, you could add the strong name key file to the project itself and then reference the file rather than using a certificate in the certificate store.

---

DevBiker (aka J Sawyer)
Microsoft MVP - Sql Server (StreamInsight)

---

---

If I answered your question, please mark as answer.
If my post was helpful, please mark as helpful.

Answer 12

Hello DevBiker,

Thanks for your reply.

You are correct. I signed the assemble for strong name. the .pfx file was added into project indded. Can you let me know more detail how to do this.

thanks,

Answer 13

Hi Pan,

Thanks for your reply.

As I said, please use the domain account as the Build Service account, and this account should has the Administrator permission on build machine.

Then try the solution in this post: http://stackoverflow.com/questions/2815366/cannot-import-the-following-keyfile-blah-pfx-the-keyfile-may-be-password-prote. 

---

John Qiao [MSFT]
MSDN Community Support | Feedback to us

Answer 14

Out of curiosity, have you added the necessary permissions for network service to even read the PK data? If you're in the cert MMC, simply right click on the certificate, go to 'All Tasks -> Manage Private Keys'. If network service does not have permission, add it in this dialog and then retry your operation.

Patrick