Error TF30063: You are not authorized to access <cut>DefaultCollection/Services/v3.0/LocationService.asmx RRS feed

  • Question

  • I am attempting to migrate a TFS 2010 (on SQL 2008 R2) installation to a new server and would like to upgrade to TFS 2012 and SQL 2012 for maximum longevity.  Following the instructions at http://elhajj.wordpress.com/, everything is working great except the project portals.  After completion, I received the same error for each portal I would access (attached below).  If I add the Sharepoint service account to the TFS Admin group, the error disappears.  However, all other accounts including other TFS Admins get the error.  I have scoured the permissions lists for any Deny with no luck.  I've checked the Reporting Services permissions on the report server homepage and the sharepoint portal permissions and the user I'm attempting to access with is in both.  I'm stumped on where to look next.

    Wednesday, October 31, 2012 10:07 PM


  • Could you please check whether the account has "make request on behalf of other" permission in TFS?



    • Marked as answer by NateF Thursday, November 15, 2012 5:32 PM
    Thursday, November 15, 2012 4:47 PM

All replies

  • Hi NateF,

    Thanks for your post!

    Can you browse http://localhost:8080/tfs/TeamFoundation/Administration/v3.0/WarehouseControlService.asmx in the IE?

    If yes, from the WarehouseControlWebService page, click GetProcessingStatus, and then click Invoke. For more information, please refer to http://msdn.microsoft.com/en-us/library/ff400237(v=VS.100).aspx

    From the screenshot which you post, I find that the data in the Dashboard cannot be displayed. To view the dashboard, you must be assigned or belong to a group that has been assigned the Read permissions in SharePoint Products for the team project.

    To add users or groups in SharePoint Foundation 2010

    1.In Team Explorer, on the Team menu, choose Show Project Portal.

    The portal for the team project opens in a separate window.

    2.Choose Site Actions, and then choose Site Permissions.

    The browser window changes to Permissions Tools.

    3.Choose Grant Permissions.

    The Grant Permissions window opens.

    4.In Users/Groups, specify the name of the group that you want to add. In Grant Permissions, choose Grant users permission directly, and then select one of the following check boxes:
    •To add users who will require minimal access to the project, select the Readers check box.

    •To add users who will contribute fully to this project, select the Contributors check box.

    •To add users who will act as project leads, select the Full Control check box.

    5.When you have finished adding the groups or users you want to add, choose OK.

    For more information, please refer to http://msdn.microsoft.com/en-us/library/ee828504.aspx

    Hope it helps!

    Best Regards,

    Cathy Kong [MSFT]
    MSDN Community Support | Feedback to us

    Thursday, November 1, 2012 6:49 AM
  • Thanks for your quick reply Cathy.

    I am able to browse to the web service, but when I attempt to Invoke the web service I am blocked due to enhanced security configuration (this is on a production server).  The strange thing is, the site it's listing here is "about:internet".  If I add the site, I get an error.

    I tried the steps for adding the user to the group, unfortunately as I said in my earlier post the user is already in the group.  The same user can browse the portal just fine on the old server, so it must be something in the migration process or on the local server that wouldn't be fixed by restoring the database on the new server.

    Any ideas?

    Thursday, November 1, 2012 4:23 PM
  • Hi NateF,

    Thanks for your feedback!

    Please try to clean the cache on your client machine C:\Users\[username]\AppData\Local\Microsoft\Team Foundation\4.0\Cache, restart VS 2012, and see if it helps.

    If it still doesn't help, can you install Fidder tool and save the network traffic while trying to open the team project portal?

    Best Regards,

    Cathy Kong [MSFT]
    MSDN Community Support | Feedback to us

    Friday, November 2, 2012 3:01 AM
  • Cleaning the cache didn't help :(

    I installed the Fiddler tool and it doesn't log anything when I access the team portal page from a remote PC.  It does log the calls if I browse from the server though.  By the way, I was prompted twice to entire my domain login information when accessing the site, which I did.  Thanks.

    • Edited by NateF Monday, November 5, 2012 9:23 PM
    Monday, November 5, 2012 9:22 PM
  • Hi NateF,

    Thanks for your feedback!

    I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.

    Thank you for your understanding and support.

    Best Regards,

    Cathy Kong [MSFT]
    MSDN Community Support | Feedback to us

    Tuesday, November 6, 2012 6:44 AM
  • Hi Nate,

    Seems to be the issue with webaccess cache. could you please try to clear the cache for webaccess ? below is the location

    C:\ProgramData\Microsoft\Team Foundation\Web Access\Cache_v11.0.50727

    Also, try to give full permissions to "everyone' for webaccess cache folder.

    Please let me know if you are still facing the issue after performing the above steps.



    Thursday, November 8, 2012 2:58 PM
  • Hi Chandra,

    There were two folder in this directory, I deleted both of them, gave Full Control on the folder to everyone and rebooted the server. 

    Unfortunately, the error is still there.

    I appreciate your help in getting this tracked down.



    Thursday, November 8, 2012 7:43 PM
  • All these errors are related to webaccess webparts. I would check IIS logs for any failures.

    Also, Could you please try to browse the TFS web access URL http://servername:8080/tfs.



    Monday, November 12, 2012 10:21 PM
  • I am able to browse to the web access URL just fine (using the same user account that fails).  I checked the Event Viewer and the IIS log folder and don't see any errors that look relevant, but I'm not sure what I'm looking for exactly.

    One thing I forgot to mention, the service account that was used on the old server is going away so I had to create a new one.  I gave it all the permissions per the setup instructions, but was wondering if this might be created a problem.



    Tuesday, November 13, 2012 12:30 AM
  • I may have found something...

    In the event log there is a Microsoft Team Foundation Server entry with a debug log.  Looking in here after attempting to access the page that gives the TF30063, I see a bunch of errors like this:

    [ TraceId] {00000001-0001-0001-0000-000000000000}
    Tracepoint 512005
    ServiceHost {00000000-0000-0000-0000-000000000000}
    ContextId 0
    ProcessName w3wp
    Area WebAccess
    Layer Controller
    Message Microsoft.TeamFoundation.Framework.Server.AccessCheckException: Access Denied: <sys account cut> needs the following permission(s) to perform this action: Make requests on behalf of others at Microsoft.TeamFoundation.Framework.Server.FrameworkSecurityNamespaceExtension.ThrowAccessDeniedException(TeamFoundationRequestContext requestContext, TeamFoundationIdentity identity, String token, Int32 requestedPermissions) at Microsoft.TeamFoundation.Framework.Server.TeamFoundationSecurityNamespace.ThrowAccessDeniedException(TeamFoundationRequestContext requestContext, String token, Int32 requestedPermissions) at Microsoft.TeamFoundation.Framework.Server.TeamFoundationApplication.Application_PostAuthenticateRequest(Object sender, EventArgs e)
    Tuesday, November 13, 2012 12:41 AM
  • Could you please check whether the account has "make request on behalf of other" permission in TFS?



    • Marked as answer by NateF Thursday, November 15, 2012 5:32 PM
    Thursday, November 15, 2012 4:47 PM
  • Success! 

    Thank you Chandra.  It hadn't even occurred to me to check the permissions on the service account since the system was working fine while I was using it.  I also didn't notice that permissions entry on the list until now.  It was "Not Set", I changed it explicity to "Allow" and everything runs fine.

    Thursday, November 15, 2012 5:33 PM
  • Good news. Thanks Nate for your update.


    Thursday, November 15, 2012 8:33 PM