TFS 2010 Build Service - Account Issues

Question

Hi

I am taking a punt this is the betetr forum than build automation.

Our specific case is we don't have domain trust to a TFS 2010 Server and wish to add a build server.

Normal TFS Explorer access works fine because on connect it asks for our credentials and we put in the remote TFS servers values.

When you run the build configuration widget it asks for an account to run the build service. We can place OUR domain user, workgroup user,  or NETWORK SERVICE ...

Although the wizard successfully finds the remote TFS Server build controllers and lists these, when we verify the wizard we get the error that  the account (2nd step in wizard) can't talk to the remote server.

NB: I have added a credential store user for the remote TFS server.

>> In theory, the service should be able to run under user A and then use user B for the TFS part ? This is essentially exactly what is happening when vs2010 is running on the client side .

>> Is there a way to win here to get the service running and yet use the credentials stored for the remote TFS server ?

=> Can we push the other way, add a build service over on the remote TFS server and point to us, or manaually add some XML / CONFIG / Registry settings ?

Thanks

Answer 1

Hi Greg,

Thanks for your post!

Do you mean the TFS 2010 Server and the Build Server on the same domain which you don't have this domain trust?

First, could you open Event Viewer and review the application log? could you find any related errors?

Second, If you want to configure a build service,  you must be a member of the Administrators group on the build machine and your Manage build resources permission must be set to Allow.

For your first question, could you describe in more detail?

For your second question, please refer to http://blogs.msdn.com/b/khushboo/archive/2005/11/09/490743.aspx

http://social.msdn.microsoft.com/Forums/lv-LV/tfssetup/thread/6b71f0fd-583e-4332-b504-535da193cf5c and

http://social.msdn.microsoft.com/Forums/en/tfssetup/thread/76998dd4-671e-4cef-84bf-3673ac746cd4

For your third question, you can go to Team Foudation Server Administration Console->Build configuration, under the build server, click Properties, under communications in the Build Service Properties, modify the connect to Team Project Collection by Browse.

If you have any concern, please feel free to let me know.

Best Regards,

---

Cathy Kong [MSFT]
MSDN Community Support | Feedback to us

Answer 2

Thanks Cathy, will look tomorrow

I try to clarify the start of the thread

- Remote TFS server in REMOTEDOMAIN
- We can access remote TFS in OURDOMAIN by providing REMOTEDOMAIN credentials for TFS

- We want to add a local build agent in OURDOMAIN which will add an entry in the remote TFS project Build settings
- Using the wizard in OURDOMAIN fails because the wizard is trying to use the OURDOMAIN creds for BOTH running the service and talking to the TFS in REMOTEDOMAIN

- We are trying to work out a work around for this problem as vs2010 itself is quite happy running in OURDOMAIN with REMOTEDOMAIN TFS users...

Thanks

Answer 3

Hi

It is possible that the statement in http://msdn.microsoft.com/en-us/library/bb668967.aspx if accurate (see below) may allow this to work as most of the url's given assume a level of trust.

Up until now, i have assumed only special local users (e.g. Administrator) shared the same user SID on all machines and could be interchanged. This reference seems to imply it is true for the other local users as well. I will post back the results.

=============

Mirrored Accounts
The TFS Proxy is supported in remote offices only over a VPN connection. However, if you have deployed your TFS using the extranet or reverse proxy scenario for a small remote team that requires the TFS Proxy, you can use mirrored accounts to enable the proxy.

To enable the proxy, you can use workgroup accounts with matching usernames and passwords on the TFS, the TFS Proxy, and each of the remote client computers. The fact that you need to maintain the exact username/password match for all users in three different locations increases administration time and restricts this workaround to small remote teams.

Note: TFS 2008 allows users to authenticate to the VC proxy with their logon credentials. This makes the use of a workgroup account for the VC proxy service an attractive option in environments where a VPN connection cannot be used.

Answer 4

Hi Greg,

Thanks for sharing the experiences here!

What about the results?

For more information, you can refer to http://stackoverflow.com/questions/3210476/how-to-access-vs-2010-tfs-over-the-internet-from-remote-office

Hope it helps!

Best Regards,

---

Cathy Kong [MSFT]
MSDN Community Support | Feedback to us

Answer 5

OK

I have confirmed the sentences in http://msdn.microsoft.com/en-us/library/bb668967.aspx  are true.

TFS allows you to user a local user on both sides. i.e. localguy with the same password set.

It is a bit disconcerning   as techically you are setting mymachine\localguy to pass credentials for  remotemachine\localguy.

At one level it would seem not to work but it does work.

It works for both build agents and a proxy server !!

THe http://stackoverflow.com/questions/3210476/how-to-access-vs-2010-tfs-over-the-internet-from-remote-office  is about the ports.

You have to have port 8080 access to remote of course, but if you create your own local build controller and agent, you can avoid port 9191 issues with the remote TFS.

Greg