TFSBuildServiceHost.exe 的 Windows 服务用户帐户问题
今天在我们的 TFS2010 构建服务器上遇到了一个非常奇怪的问题。突然,构建服务无缘无故地失败了。我们已经查了半天了,但还是没有找到原因。
问题之一是构建服务正在(或应该!)在名为 tfs2010build 的 AD 用户下运行。但是,当我尝试启动该服务时,出现以下错误
Service cannot be started. Microsoft.TeamFoundation.TeamFoundationServerUnauthorizedException: TF30063: You are not authorized to access http://tfs2010:8080/tfs/default. ---> System.Net.WebException: The remote server returned an error: (401) Unauthorized.
当我查看 TFS2010 服务器上的事件日志时,我发现为名为 TFS2010Install 的用户注册了失败的身份验证,该用户用于安装所有内容。我已经进行了三次检查,并且该服务被指定为在 TFS2010Build 下运行。
来自 TFS2010 服务器的日志:
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: TFS2010INSTALL
Account Domain: LC
所以我的问题是这怎么可能。用户 TFS2010Build 是否可以被 TFS2010Install 模拟?我 我尝试安装额外的构建服务器,在用户 TFS2010Build 下启动服务没有问题 - 因此这不是 AD 或 TFS 用户权限的问题。
希望大家能够帮忙!
/贾斯帕
!!更新了一些屏幕截图。构建服务器是TFS2010BIULD,TFS服务器是TFS2010 
非工作构建服务器 TFS2010Build 的屏幕截图 
工作构建服务器 TFS2010Build1 的屏幕截图 
!!新更新
我已设法让构建服务在 TFS2010Build 用户帐户下运行(其中实际上是问题开始时的初始状态)。当我将构建排队到该控制器和代理时,我在构建日志中收到以下内容:
TF215097:初始化构建定义 \PlanteIT_MarkOnline_Scrum\CI_Main_FieldOnlineClient 时发生错误:TF215106:访问被拒绝。 LC\TFS2010INSTALL 需要团队项目 PlanteIT_MarkOnline_Scrum 中的构建定义 CI_Main_FieldOnlineClient 的更新构建信息权限才能执行该操作。有关详细信息,请联系 Team Foundation Server 管理员。
尽管 TFS2010Build 用于构建服务,但它仍然坚持认为 TFS2010Install 用户帐户正在运行该服务。有什么想法吗?
Experienced a very strange problem today on our TFS2010 build server. Suddenly the build service failed for no apparent reason. We´re been trouble shooting it all day, but still haven´t found the reason yet.
One of the problems is that the build service is (or should!) running under an AD user called tfs2010build. However when I try to start the service, i get the following error
Service cannot be started. Microsoft.TeamFoundation.TeamFoundationServerUnauthorizedException: TF30063: You are not authorized to access http://tfs2010:8080/tfs/default. ---> System.Net.WebException: The remote server returned an error: (401) Unauthorized.
When I look in the event log on the TFS2010 server, I see that the failed authentication is registered for a user called TFS2010Install, which was used to install everything. I´ve tripple checked and the service is specified as to be running under TFS2010Build.
Log from TFS2010 server:
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: TFS2010INSTALL
Account Domain: LC
So my question is how is this possible. COuld the user TFS2010Build some how be impersonated by TFS2010Install? I
ve tried to install an additional build server and here there´s no problem starting the service under the user TFS2010Build - hence it is not a problem with AD or TFS user rights.
Hope you guys can help out!
/Jasper
!! Updated with some screen shots. Build server is TFS2010BIULD and the TFS server is TFS2010
Screen shot of non working build server TFS2010Build
Screen shot of working build server TFS2010Build1
!!New Update
I've managed to get the Build service to run under the TFS2010Build user account (which was actually the initial state, when the problem started). When I queue builds to this controller and agent, i get the follwing in the build log:
TF215097: An error occurred while initializing a build for build definition \PlanteIT_MarkOnline_Scrum\CI_Main_FieldOnlineClient: TF215106: Access denied. LC\TFS2010INSTALL needs Update build information permissions for build definition CI_Main_FieldOnlineClient in team project PlanteIT_MarkOnline_Scrum to perform the action. For more information, contact the Team Foundation Server administrator.
It still insist that TFS2010Install user account is running the service, despite that TFS2010Build is used for the build service. Any ideas?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
这是在黑暗中进行的尝试,您可以尝试在 Tfs2010Build 帐户下清除有问题的构建计算机上的 TFS 客户端缓存和互联网缓存吗?我以前从未见过这个问题,但也许一些带有 TFS2010Install 身份验证的陈旧缓存 TfsProjectCollection 对象仍然存在并导致问题。
您是否也尝试过重新配置您的构建机器?
取消配置:
tfsconfig.exe setup /uninstall:TeamBuild
并通过向导重新配置。
This is a stab in the dark, can you try clear the TFS client cache and your internet cache on your troubled build machine under the Tfs2010Build account? I've never seen this issue before but maybe some stale cached TfsProjectCollection object with TFS2010Install authentication stayed around and caused problems.
Have you also tried reconfigure your build machine?
To unconfigure:
tfsconfig.exe setup /uninstall:TeamBuild
and reconfigure through the wizard.
我会再尝试一次...,一步一步:-)
事实:当您将构建控制器注册到 TFS 项目集合并以 TFS2010Build 身份登录时,会弹出一个身份验证对话框-向上。这意味着 TFS 服务器不接受 TFS2010Build 作为可用于连接到 TFS 服务器上的默认集合的帐户。
事实:当您将构建控制器注册到 TFS 项目集合时,以 TFS2010Install 身份登录,不会弹出身份验证对话框。这意味着 TFS 服务器确实接受 TFS2010Install 作为可用于连接到 TFS 服务器上的默认集合的帐户。
显然,因为在 1 和 2 中,您的构建控制器都是使用 TFS2010Install 帐户注册到 TFS 服务器的,所以控制器或服务器会记住这些凭据,并在构建控制器启动时使用它们连接到 TFS 服务器集合,尽管服务本身在 TFS2010Build 帐户下运行。这是一种看似合理的情况,服务的模拟经常以这种方式发生。也许一些 TFS 技术人员可以确认或否认此行为。
我剩下的问题是:为什么 TFS 服务器上的默认集合不接受 TFS2010Build 帐户作为有效的管理员?
潜在原因:
阅读 Jim Lamb 的回答。
用于将控制器连接到 TFS 服务器上的集合的系统或用户的域注册有问题。
消除问题的最快方法:继续安装似乎没有问题的辅助服务器,可以尝试使用该辅助服务器上的 TFS2010Build,看看问题是否也出现在那里。
这是一个很长的问题,但希望它能给你带来巨大的推动力,让你朝着正确的方向前进。
I will try once more ..., step by step :-)
FACT: When you register your build controller to a TFS project collection, being logged-in as TFS2010Build, an authentication dialog pops-up. This means that the TFS server does not accept TFS2010Build as an account that can be used to connect to your default collection on the TFS server.
FACT: When you register your build controller to a TFS project collection, being logged-in as TFS2010Install, no authentication dialog pops-up. This means that the TFS server does accept TFS2010Install as an account that can be used to connect to your default collection on the TFS server.
Apparently, because in both 1 and 2 your build controller is registered using the TFS2010Install account to the TFS server, either the controller or the server remembers these credentials and uses them to connect to the TFS server collection when the build controller is started, despite the fact that the service itself is running under the TFS2010Build account. This is a plausible situation and impersonation happens often this way for services. Maybe some TFS techie can either confirm or deny this behavior.
The question that remains for me: Why does the the default collection on the TFS server not accept the TFS2010Build account as a valid administrator?
Potential causes:
Read Jim Lamb's answer.
Something is wrong with the domain registration of the system or user used to connect the controller to the collection on the TFS server.
Fastest way to rid of the problem: Continue to install the secondary server that does not seem to have the problem, potentially experiment with using the TFS2010Build from this secondary server to see if the problem also occurs there.
A long aswer, but hopefully it gives you a big push in the right direction.
得知您在使用此功能时遇到问题,我们深感抱歉。您可以检查/尝试以下几件事:
确保 TFS2010Build 用户帐户是与其关联的 TFS 项目集合中“构建服务”组的成员。
如果您以关联项目集合上 Project Collection Administrators 组成员以及构建计算机上本地 Administrators 组成员的用户身份登录时安装和配置构建服务,则所有通常会为您设置必要的权限和其他配置。
因此,总而言之,配置构建机器的用户应该是项目集合管理员组的成员和本地管理员组的成员。并且,构建机器正在运行的用户帐户应该是项目集合的“构建服务”组的成员。
Sorry to hear that you're having problems getting this to work. Here are a couple of things you can check/try:
Make sure that the TFS2010Build user account is a member of the "Build Services" group in the TFS project collection you've associated it with.
If you install and configure the build service while logged in as a user who is a member of the Project Collection Administrators group on the associated project collection and is also a member of the local Administrators group on the build machine, all of the requisite permissions and other configuration will generally be set for you.
So, to summarize, the user configuring the build machine should be a member of the project collection administrators group and a member of the local administrators group. And, the user account the build machine is running as should be a member of the project collection's "build services" group.