locked
Team 2010 Automated Build Untrusted Domain Security Error RRS feed

  • Question

  • I'm setting up a new Team 2010 environment for my Devs, and I'm trying to use build services to build to our QA environment which is on a separate, untrusted domain. I read the article:

    http://blogs.msdn.com/adamroot/archive/2010/03/02/configuring-team-foundation-server-2010-build-services-outside-of-domains-and-domain-trust.aspx

    From this article, I'm using credential manager in 2008 R2 to connect to my QA web servers from my build server, but I am getting the error: 

    The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you. 


    When I reboot or restart the build service, it works again for a while, and then errors out again with the above error. I have tried uninstalling the build service and reinstalling using:

     

    Open a command prompt set the environment variable:
    
    set TFS_IGNORE_TBRUNNINACOUNT=1
    Now start the TFS Admin Console:
    
    %ProgramFiles%\Microsoft Team Foundation Server 2010\Tools\TfsMgmt.exe

    But my builds still fail. Short of redoing the entire server from scratch, is there anything else I can do to fix this error?  

     

    Thanks in advance. -Jim

    Monday, May 17, 2010 4:42 PM

Answers

  • oki, I must have missunderstod you then, you have your buildserver workin within your domain and only want to drop files to the QA ?

    Why not simply use net use to map a disk to the server, like calling a .bat file,

     

    net use f: \\QAServer\ShareName Pwd /User:QAServer\LocalAccount 
    xCopy %1 f:
    net use f: /delete

     

    PSExec executes processes on remote servers, yes, but it also copies the exec to the remote server if instructed to.

     

    Wednesday, May 19, 2010 6:48 AM

All replies

  • Might I suggest a different solution ?Have your buildserver within your devdomain, build and assemble your apps on the buildserver, and then deploy them to your QA with PSExec ?

    Se this thread for more info http://social.msdn.microsoft.com/Forums/en-US/tfsbuild/thread/d761b8f5-2bb0-4aab-9863-253250cf55e0/#6d156e7c-a8e7-4f09-b0ba-a2ef3b2d224e

    Monday, May 17, 2010 7:33 PM
  • Sorry but using a third party tool at this point is not an option. My bosses all love how the build process can be tracked and reported on right inside of team. 

     

    I'm still having this issue. Is anyone else having trouble with this? I can't be the only person who has a QA untrusted domain and is trying to build to it. 

    Tuesday, May 18, 2010 4:58 PM
  • PSEXec is a part of Micrsoft sysinternals and can be downloaded from microsoft.com/sysinternals. You would still have everyting tracked  & reportable. PSEXEC simply handels the network trust issues.

    In my expiriens most organizations prefers (one way) trust between QA and prod over installing buildservers in QA. The main problem is still the same however, you cant build on the QA server, only deploy to it.

     

     

    Tuesday, May 18, 2010 8:46 PM
  • PSEXec is a part of Micrsoft sysinternals and can be downloaded from microsoft.com/sysinternals. You would still have everyting tracked  & reportable. PSEXEC simply handels the network trust issues.

    In my expiriens most organizations prefers (one way) trust between QA and prod over installing buildservers in QA. The main problem is still the same however, you cant build on the QA server, only deploy to it.

     

     

    Thanks for the reply. 

     

    The only difference is, my build machine and my team server are both in the same domain. They work together just fine. I don't need to run any commands on my QA webserver either. I only need my buildservice user from my domain where team and my build server are, to be able to access my QA webserver without having to ask for credentials. I read the article from my first post, and figured the Windows Vault would be perfect for this, but it only works for about 1 day, and then I get the error that I mentioned in my first post. From the link you provided, it seems like my situation is different. Am I missing something on how PSexec works? It seems like it only runs commands on remote machines. 

    Tuesday, May 18, 2010 11:02 PM
  • oki, I must have missunderstod you then, you have your buildserver workin within your domain and only want to drop files to the QA ?

    Why not simply use net use to map a disk to the server, like calling a .bat file,

     

    net use f: \\QAServer\ShareName Pwd /User:QAServer\LocalAccount 
    xCopy %1 f:
    net use f: /delete

     

    PSExec executes processes on remote servers, yes, but it also copies the exec to the remote server if instructed to.

     

    Wednesday, May 19, 2010 6:48 AM
  • Gotcha. I could do that. The only reason I thought of using the Credential Manager was because it was supposed to be secure, and putting credentials in a batch file is in no way secure. I will try it this way and see if my builds still fail. 

     

    Thanks again for your help! -Jim

    Wednesday, May 19, 2010 2:37 PM