TeamFoundationServer.Authenticate() Throwing Exception about registry
I'm trying to access a particular workitem to retrieve a custom field, but I'm stuck trying to attach to TFS. Here's my code where I'm stuck; The user for the credential, what kind of permissions does it need? Should I not use the service id?
NetworkCredential nc = new NetworkCredential("tfsservice", "<pw>", "<domain>");
TeamFoundationServer tfs = new TeamFoundationServer("http://localhost:8080/", nc);
tfs.Authenticate();
Here's the exception that's thrown:
Microsoft.TeamFoundation.TeamFoundationServerUnauthorizedException: Requested registry access is not allowed. ---> System.Security.SecurityException: Requested registry access is not allowed.
at System.ThrowHelper.ThrowSecurityException(ExceptionResource resource)
at Microsoft.Win32.RegistryKey.OpenSubKey(String name, Boolean writable)
at Microsoft.TeamFoundation.Client.RegisteredServers.OpenCurrentUser(Boolean writable, Boolean shouldCreate)
at Microsoft.TeamFoundation.Client.RegisteredServers.GetServerForUri(Uri uri)
at Microsoft.TeamFoundation.Client.TeamFoundationServer.get_DisplayName()
at Microsoft.TeamFoundation.Client.TeamFoundationSoapProxy.ThrowIfUnauthorized(HttpWebResponse response)
at Microsoft.TeamFoundation.Client.TeamFoundationSoapProxy.GetWebResponse(WebRequest request)
at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
at Microsoft.TeamFoundation.Client.CheckAuthenticationProxy.CheckAuthentication()
at Microsoft.TeamFoundation.Client.TeamFoundationServer.Authenticate(Boolean useProvider, ICredentialsProvider provider)
--- End of inner exception stack trace ---
at Microsoft.TeamFoundation.Client.TeamFoundationServer.Authenticate(Boolean useProvider, ICredentialsProvider provider)
at Microsoft.TeamFoundation.Client.TeamFoundationServer.Authenticate()
at Service.Notify(String eventXml, String tfsIdentityXml) in c:\Program Files\Microsoft Visual Studio 2005 Team Foundation Server\Web Services\UpdateHelpStar\App_Code\Service.cs:line 44
Answers
- Sorry, I do not have any other ideas. You can contact CSS to get further help on this issue.
All Replies
Edith, we recently found this bug in our code. We will investigate for a fix. Workaround for now is to give all connecting users read access to the registry key in machine for resolving server names. The key name is CurrentVsVersionInformation.RegistryKeyPath + "\\TeamFoundation\\Servers" . If you can report this bug by going to: https://connect.microsoft.com/VisualStudio/feedback/ (Choose Visual Studio 2005 Team Foundation Server in the Version combo box), this will get higher priority for fixing.
Thanks.
Thanks, I've submitted the bug. I'll try the workaround next.
I did a search in the registry "CurrentVsVersionInformation.RegistryKeyPath" and can't find it.
I searched for CurrentVsVersionInformation & RegistryKeyPath.
Is this the registry key?
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VisualStudio\8.0\TeamFoundation\Servers
I gave the tfsservice account read access to that key and I'm still getting the exception.
What am I doing wrong? Which user and what key and what kind of access?
- Yes, read access for the user whom you impersonate. Looks like it doesn't work for you. Can you run regmon (from sysinternals.com) and it should tell you easily what key access is failing. I'll check with our architect who was investigating this meanwhile.
113.17089844 w3wp.exe:2948 OpenKey HKCU\Software\Microsoft\VisualStudio\8.0\TeamFoundation\Servers ACCESS DENIED TASMANIA\IUSR_TASMANIA
If everything is working ok, I'm assuming that the "network credential id" is used to gain access to the registry key. In this case, it seems to be the "iusr..." as the user that's erroring out, but I expected it to be the tfsservice id, since that's what I passed in as the network credential.
- I've given full control to tasmania\iusr_tasmania and the service account and I'm still getting access denied.
Sorry that it didn't work. I just found that our internal user solved this by adding read permissions for all domain users to HKEY_USERS\.Default\Software\Microsoft\VisualStudio\8.0\TeamFoundation\Servers. So the impersonated accounts need read access to that key. Can you try this one? Only some people seem to get it and it is harder for us to get a repro in our environment consistently, so making it harder for troubleshooting.
- I've given everyone Full Control and still getting an exception. Am I missing a step? Should I call support?
- Sorry, I do not have any other ideas. You can contact CSS to get further help on this issue.
Was there ever a fix on this issue? I am currently running into the same problem with SDK. We are trying to use impersonation to create an application where users can submit their on bug tickets, but anytime someone hits our site they get the error "Requested Registry Access Is Not Allowed".
No, we attempted to repro this here but failed to repro. Can you workaround this problem by giving access to that registry key? If that doesn't work, please contact CSS and they could do more troubleshooting.
I've got a pretty easy reproduction for you.
OS: Windows 2003 Server R2 (32bit) Quad Core, 4 GB memory.
Domain Member (setup in accordance with the TFS Install Guide)
Machine is trusted for delegation
TFS Web Service uses a Domain Account
Clean installation of Team Foundation Server 2008 (Service Pack 1) on a single tier. SQL Server 2005 (Service Pack 2) [Analysis/Reporting/Client Tools] and Windows Sharepoint Services 3.0 (installed with TEam Foundation). Team Foundation Web Access (Service Pack 1) and Team Build (Service Pack) and Team Explorer also installed.
Authentication: Kerberos & NTLM
When a domain user who has permissions attempts to log on via Web Access they receive "Requested registry access is not allowed".
Stack Trace (on page, in hidden comments):
<Snip>
Microsoft.TeamFoundation.TeamFoundationServerUnauthorizedException: Requested registry access is not allowed. ---> System.Security.SecurityException: Requested registry access is not allowed.
at System.ThrowHelper.ThrowSecurityException(ExceptionResource resource)
at Microsoft.Win32.RegistryKey.OpenSubKey(String name, Boolean writable)</snip>
Fix:
Was the same symptom.
Although W3wp.exe was running as NETWORK SERVICE (app pool identity), the attempt to open the registry key
HKEY_USERS\S-1-5-20\Software\Microsoft\VisualStudio\9.0\TeamFoundation failed - access denied. Aplpying specific permissions (Domain USers, etc) fixed the problem.
- We are having the same exact issue as above, also using Kerberos and NTLM. I have tried changed the permissions on the specified registry key but still receive the same error.
What users need to be given permission, ASPNET, IUSER, NETWORK SERVICE, etc? Also what are all the keys we need to add this permissions on? We really need to get this resolved ASAP.
