locked
Unattended installation of TFS in an Azure VM using a CustomScriptExtension RRS feed

  • Question

  • This one is a bit complex so bear with me:

    I'm trying to create a 'one click' TFS server to mimic my on-premise environment so that my users can have a sandbox environment to experiment with.

    To that end I've created an Azure Resource Manager template that will set up a simple VM with SQL Server which I then subsequently add a CustomScriptExtension to in order to install TFS itself.

    There are two scripts involved, the first 'start.ps1' is a bootstrap script that will download the TFS installer to the VM, do a '/quiet' install, and then invoke the configure step. Code looks like this:

    [CmdletBinding()]
    Param(
    	[Parameter(Mandatory=$True,
    		HelpMessage='Username')]
    	[string]$theUsername,
    
    	[Parameter(Mandatory=$True,
    		HelpMessage='Password')]
    	[string]$thePassword
    )
    
    # Installs TFS 2015 update 1 using a default "Standard" configuration.
    
    $tfs_url = "http://go.microsoft.com/fwlink/?LinkId=615439"
    $output = "c:\temp\tfs_server.exe"
    
    If (-Not(Test-Path "c:\temp"))
    {
        New-Item -ItemType Directory "c:\temp"
    }
    
    # Download the installer file
    Invoke-WebRequest -Uri $tfs_url -OutFile $output
    
    # Install Quietly
    Start-Process -Wait -FilePath "c:\temp\tfs_server.exe" -ArgumentList "/quiet" -NoNewWindow
    
    $password =  ConvertTo-SecureString $thePassword -AsPlainText -Force
    $credential = New-Object System.Management.Automation.PSCredential("$env:COMPUTERNAME\$theUsername", $password)
    $command = $file = $PSScriptRoot + "\InstallTFS.ps1"
    Invoke-Command -FilePath $command -ComputerName $env:COMPUTERNAME -Credential $credential

    The last line of that script invokes the script "InstallTFS.ps1" using the administrative user credential that is created along with the VM in Azure. Code for that script looks like this:

    # Configure TFS
    $tfsconfigexe = 'C:\Program Files\Microsoft Team Foundation Server 14.0\Tools\tfsconfig.exe'
    & $tfsconfigexe unattend /configure /type:standard
    if (-not $?) {
        Write-Error "Configure Problem: $LastExitCode" -ErrorAction Stop
    }
    
    # Allow public through firewall
    netsh advfirewall firewall set rule name='Team Foundation Server:8080' new profile='any'

    On to the problem:

    If I run these scripts when logged in as the aforementioned administrative user (i.e. open a powershell window and run start.ps1) then everything works fine, TFS is installed and configured.

    However, if I run these scripts using the CustomScriptExtension Azure extension (or if I run it in a powershell window when logged in as a non-administrator user) then I run into the following problem during TFS configuration:

    [Info   @15:14:24.387] +-+-+-+-+-| Configuring view state keys |+-+-+-+-+-
    [Info   @15:14:24.387] Starting Node: CVIEWSTATEKEY
    [Info   @15:14:24.387] NodePath : Container/Progress/CVIEWSTATEKEY
    [Info   @15:14:24.387] Executing ConfigureViewStateKeys.Run()
    [Error  @15:14:29.841] 
    Exception Message: Access is denied.
     (type CryptographicException)
    Exception Stack Trace:    at System.Security.Cryptography.ProtectedData.Protect(Byte[] userData, Byte[] optionalEntropy, DataProtectionScope scope)
       at Microsoft.TeamFoundation.Framework.Server.StrongBox.StrongBoxItemCacheService.<>c__DisplayClass4_0.<GetDecryptedBytes>b__2(IMemoryCacheList`2 cache, Byte[] delegateResult)
       at Microsoft.TeamFoundation.Framework.Server.VssVersionedCacheService`1.Synchronize[T](IVssRequestContext requestContext, Func`1 dataOperation, Action`2 writeCache)
       at Microsoft.TeamFoundation.Framework.Server.StrongBox.StrongBoxItemCacheService.GetDecryptedBytes(IVssRequestContext requestContext, StrongBoxItemInfo item, Func`1 missDelegate)
       at Microsoft.TeamFoundation.Framework.Server.TeamFoundationStrongBoxService.GetString(IVssRequestContext requestContext, StrongBoxItemInfo item)
       at Microsoft.TeamFoundation.Admin.ConfigureViewStateKeys.Run(ActivityContext context)
    So, apparently there are some security context differences whether I'm running these scripts as my administrative user, or whether I'm running as some other user, regardless of the fact that the 'Invoke-Command' uses a -Credential object.

    The question:

    Is there a way to ensure that the 'Invoke-Command' is running with the same security context as it would be if I'm running it when logged in as the administrative user, or is there a way to determine what exactly is giving me the "access denied" error so that I could potentially adjust it's permissions before install and then set them back after.

    Thanks


    Friday, February 26, 2016 3:41 PM

All replies

  • Hi James,  

    Thanks for your post.

    To run the Tfsconfig unattend command to install TFS Server, the executed user need has below permissions:

    • Must be a member of the Administrators group on the computer where you are installing the software.
    • Must be a member of the sysadmin group on the instance of SQL Server that will support TFS.

    Please refer to the Unattend command information in this in this document: https://msdn.microsoft.com/en-us/library/vs/alm/tfs/administer/command-line/tfsconfig-cmd?f=255&MSPPError=-2147217396#Unattend.


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Monday, February 29, 2016 5:56 AM
    Moderator
  • Unfortunately in this case I am a member of the Administrators group and a sysadmin on the Database. The installation completes as far as the end of step 2 -- the TFS files are all installed (administrator on the system) and the TFS_Configuration database is created and all the schema is loaded (so that shows that my user is sysadmin on the db). It's just the specific part above related to the view state keys (which appears to be the last part of the database configuration step) that is failing. Unfortunately I don't know what that step is actually trying to accomplish so I can't check what sort of permissions the system thinks I require.
    Tuesday, March 1, 2016 1:40 PM
  • Hi James,  

    Thanks for your reply.

    That step is try configure view state keys in Tfs_Configuration database, but it returned the Access is denied error, so please compare your account and that “aforementioned administrative” user’s permissions in your Tfs_Configuration database or SQL Server, check what's difference between them. 

    And you can manually run TFS setup(tfs_server.exe) using your account on Azure VM, then check if your account can manually install TFS Server successfully in VM, if any error happened, please share the error log here.


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Wednesday, March 2, 2016 2:27 AM
    Moderator
  • As mentioned in the original problem description, the user running the tfs setup is the same in both cases. If I log into the server as myvm\james and run the tfs configuration then it is successful. However if I log into the server as myvm\anotheruser and then "run as" myvm\james then the tfs configuration gets the error related to the view state key.

    Assuming these view state keys are being set in the TFS_Configuration database, then this error would seem to make no sense as the user was able to create the database itself and all the schema prior to the error occurring.

    Thursday, March 3, 2016 4:07 PM
  • Hi James,  

    Thanks for your reply.

    You log into your Azure VM using myvm\anotheruser account, and run tfs setup using myvm\james account by below way(screenshot), but the setup/configure still failed? If yes, please share the manually installation full log here. (please ensure you delete all previous TFS databases from SQL Server on your VM before this manually install)  


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Friday, March 4, 2016 2:42 AM
    Moderator
  • I log into the vm as tfsvm\anotheruser and I run the following in a powershell window

    $password =  ConvertTo-SecureString $thePassword -AsPlainText -Force
    $credential = New-Object System.Management.Automation.PSCredential("$env:COMPUTERNAME\$theUsername", $password)
    $command = $file = $PSScriptRoot + "\InstallTFS.ps1"
    Invoke-Command -FilePath $command -ComputerName $env:COMPUTERNAME -Credential $credential

    where Credential in the above script is tfsvm/james (which is the administrative user).

    InstallTFS.ps1 runs

    # Configure TFS
    $tfsconfigexe = 'C:\Program Files\Microsoft Team Foundation Server 14.0\Tools\tfsconfig.exe'
    & $tfsconfigexe unattend /configure /type:standard
    if (-not $?) {
        Write-Error "Configure Problem: $LastExitCode" -ErrorAction Stop
    }
    
    # Allow public through firewall
    netsh advfirewall firewall set rule name='Team Foundation Server:8080' new profile='any'

    So effectively I'm running "C:\Program Files\Microsoft Team Foundation Server 14.0\Tools\tfsconfig.exe unattend /configure /type:standard as tfsvm/james

    You can try this installation yourself using the scripts here: https://github.com/JamesCarscadden/team-foundation-server-test-vm 

    The full log is too long to include below, find it here: https://raw.githubusercontent.com/JamesCarscadden/team-foundation-server-test-vm/master/ErrorLog.txt

    Friday, March 4, 2016 2:47 PM
  • Hi James,    

    I tested this scenario and received the same result.

    For this scenario, please submit it to Microsoft Connect Feedback portal at: https://connect.microsoft.com/VisualStudio. Microsoft engineers will evaluate them seriously.


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.



    Monday, March 7, 2016 7:44 AM
    Moderator