Only TFSService can submit work item from SharePoint; all other IDs get Access Denied errors RRS feed

  • Question

  • Thanks in advance, everyone. 

    TFS 2008 on WIN2K3 Server (App and Data Tier are on separate machines)
    IIS 6 (default web site is using Integrated Windows Authentication)
    SharePoint 3.0
    IE 6

    We created a custom C# application / web page for SharePoint and TFS.  The application / web page appears on a Team Project’s Portal, and accepts Team Project and build specific information (via edit boxes or drop down list boxes).  When a user presses the Submit button a “CM Build Request” Work Item is created, and an e-mail is sent to the CM Team with the build specific information so the build can be processed.

    On our TFS test server, this works without any problems for all users.  On our TFS Production server, what happens is that the custom web page loads fine.  But when any user (other than TFSService) presses the submit button (with valid information), we get the following error:

    Server Error in '/_layouts/BuildRequest' Application.
    Security Exception

    Description: The application attempted to perform an operation not allowed by the security policy.  To grant this application the required permission please contact your system administrator or change the application's trust level in the configuration file.

    Exception Details: System.Security.SecurityException: Requested registry access is not allowed.

    Source Error:
    [No relevant source lines]

    Source File: c:\WININST\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\_layouts_buildrequest\25cf3dee\555fedef\App_Web_submitbuildrequest.aspx.cdcab7d2.oauhbs8e.0.cs    Line: 0

    Stack Trace: 
    [SecurityException: Requested registry access is not allowed.]
       System.ThrowHelper.ThrowSecurityException(ExceptionResource resource) +48
       Microsoft.Win32.RegistryKey.OpenSubKey(String name, Boolean writable) +2887817
       Microsoft.TeamFoundation.Client.RegisteredServers.OpenCurrentUser(Boolean writable, Boolean shouldCreate) +88
       Microsoft.TeamFoundation.Client.RegisteredServers.GetUriForServer(String serverName) +42
       Microsoft.TeamFoundation.Client.TeamFoundationServer.GetUriForName(String name) +121
       Microsoft.TeamFoundation.Client.TeamFoundationServer.get_Uri() +24
       Microsoft.TeamFoundation.Proxy.BisRegistrationService..ctor(TeamFoundationServer tfsObject) +83
      Microsoft.TeamFoundation.Client.TeamFoundationServer.CreateInternalProxy(Type serviceType) +51
       Microsoft.TeamFoundation.Client.TeamFoundationServer.GetService(Type serviceType) +243
       Microsoft.TeamFoundation.WorkItemTracking.Client.WorkItemStore.GetMiddleTierUrls(String& serverUrl, String& configurationSettingsUrl) +38
       Microsoft.TeamFoundation.WorkItemTracking.Client.WorkItemStore.InitializeInternal() +68
       Microsoft.TeamFoundation.WorkItemTracking.Client.WorkItemStore.Microsoft.TeamFoundation.Client.ITeamFoundationServerObject.Initialize(TeamFoundationServer teamFoundationServer) +90
       Microsoft.TeamFoundation.Client.TeamFoundationServer.CreateITFSObjectInstance(Assembly assembly, String fullName) +125
       Microsoft.TeamFoundation.Client.TeamFoundationServer.GetService(Type serviceType) +362
       TMHP.WINTEL.BuildRequest.SubmitBuildRequest.btnSubmit(Object sender, EventArgs e) +146
       System.Web.UI.WebControls.Button.OnClick(EventArgs e) +105
       System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument) +107
       System.Web.UI.WebControls.Button.System.Web.UI.IPostBackEventHandler.RaisePostBackEvent(String eventArgument) +7
       System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument) +11
       System.Web.UI.Page.RaisePostBackEvent(NameValueCollection postData) +33
       System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +7350
       System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +213
      System.Web.UI.Page.ProcessRequest() +86
       System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext context) +18
       System.Web.UI.Page.ProcessRequest(HttpContext context) +49
       ASP.submitbuildrequest_aspx.ProcessRequest(HttpContext context) in c:\WININST\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\_layouts_buildrequest\25cf3dee\555fedef\App_Web_submitbuildrequest.aspx.cdcab7d2.oauhbs8e.0.cs:0
       System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +358
       System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +64

    We’ve tried numerous things to try to resolve this error (for TFSService, everything works fine):

    We followed all the steps in Naren's Blog: to set up the work item.

    We followed the relevant steps in Tim Huffam’s Blog:

    We tried changing registry settings per

    We set the permission to WSS_MEDIUM in the SharePoint site

    We override the permission in the SharePoint web config for the site and gave the site full permissions

    We tried giving the ASPNET and NETWORK SERVICE account full control to c:\WININST\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET

    We verified permissions on D:\TFSCacheFolder


    - Our web site using Integrated Windows Authentication
    - Our web site has its own app pool
    - Each time we made a change we ran “iisreset” and closed and re-opened the browser
    - The Event Viewer doesn’t show anything particularly useful; we do not see any references to failed authentication, TFS, .NET, etc.

    We believe its permissions related, but we cannot seem to find the problem.  We’ve tried comparing the TFS Test and TFS production server (machine.config, web.config, IIS, etc) but we’re not seeing anything that indicates the problem.

    • Edited by HATLANTA Tuesday, October 21, 2008 7:56 PM
    Tuesday, October 21, 2008 7:55 PM