Security Problem with Accessing Work Items
I have a security problem with accessing work items.
I have created a team project based on a customized project template. Among the rest, there are a"Defect" work item and two team queries,"All Defects" and"Active Defects".
MyProject > "Team Project Settings" > "Group Membership..." context menu item shows"Project Groups on MyProject" dialog with the list of the team project groups, including[MyProject]\All that includes another team project group,[MyProject]\Developers that includes a Windows userMyDomain\John.
MyProject > "Team Project Settings" > "Security..." context menu item shows"Project Security" dialog with the list of the team project groups and their permissions, particularly, the above-mentioned[MyProject]\All and[MyProject]\Developers groups both have"Edit project-level information" and"View project-level information" permissions allowed.
MyProject > "Team Project Settings" > "Areas and Iterations..." context menu item shows"Areas and Iterations" dialog with only one (root)Area, and clicking"Security..." button shows the list of the team project groups and theri permissions for the root area, particularly, the above-mentioned[MyProject]\All group has all the permissions ("Create and order child nodes","Delete this node","Edit this node","Edit work items in this node","View this node" and"View workitems in this node") allowed.
However, the above-mentioned userMyDomain\John cannot either add new defects (work items of type"Defect") nor even view existing defects with the above-mentioned"All Defects" and"Active Defects" team queries.The first question is, why? What is wrong with the security settings here? By the way, addingMyDomain\John directly into[MyProject]\"Project Administrators" group did (temporarily) solve te problem butJohn should not be a project administrator...
Moreover, I have one more issue from the same raw... Being a real project administrator myself, I can view a particular defect listed in"All Defects" query results, but the same defect did not appear in the results of"Active Defects" query though it had"Assigned to Developer" state that is included in"Active Defects" query definition... The defect did appear in"Active Defects" query result on the next day, but I do not want wait a whole day for the results to be actual! Sothe second question is, what should I do so that my queries result are always fresh (up-to-date)?
Thank you very much in advance.
You can check any ancestral groups of [MyProject]\Developers to see if any of them has the permissions denied. Given the fact that project administrator doesn't have the same issue, you can ignore the commond ancestral groups of the two.
For the second question, you can click "Run Query" button, which looks like a form with a green triagle. The result will be refreshed.
JYL> You can check any ancestral groups of [MyProject]\Developers to see if any of them has the permissions denied.
As it was mentioned in my original message, the groups'n'users hierarchy for my case is: [MyProject]\All includes [MyProject]\Developers includes MyDomain\John. The two groups both have "Edit project-level information" and "View project-level information" permissions allowed, and nothing denied on the project level. Besides, [MyProject]\All group has all the permissions ("Create and order child nodes", "Delete this node", "Edit this node", "Edit work items in this node", "View this node" and "View workitems in this node") allowed, and nothing denied on the only area level. What else should I check?
JYL> ...You can ignore the common ancestral groups of the two.
Sorry? I didn't understand this recommendation, please, paraphrase it.
JYL> You can click "Run Query" button, which looks like a form with a green triagle. The result will be refreshed.
Thanks, it worked!
What I mean here is that [MyProject]\Developers should be in some group which has the Edit permission denied. The group might be bigger than [MyProject]\All. For example, maybe some group for the whole server.
The Administrator group has the Edit permission, which means any groups it is in must have no deny. So you don't need to check them.
Hope I explain it clear this time.
Thanks.
[MyProject]\Developers group is a member of only two groups
[MyProject]\All (nothing is denied for it) and
[Server]\Team Foundation Valid Users (again, nothing is denied for it, too, as a similar project on the server works fine). What should I check next? Any ideas about the reasons? Thanks.
You could also trying running TFSSecurity (an admin command line tool to see the group memberships and effective permissions for an identity).
TFSSecurity /i domain\user /server:<servername> will give you generic information about the domain\user identity, while
TFSSecurity /acl domain\user /server:<servername> will give you the effective access control list for the identity.
TFSSecurity can be found on the AT server. Please see http://msdn2.microsoft.com/en-us/library/ms252504(VS.80).aspx for more details. This may help you identify the issue.
Hope this helps,
Well, let's see what these commands return...
C:\...\Tools>TFSSecurity.exe /i MyDomain\John /server:MyTFServer
TFSSecurity - Team Foundation Server Security Tool
(C) Copyright 2006 Microsoft Corporation. All rights reserved.
The target Team Foundation Server is MyTFServer.
Resolving identity "MyDomain\John"...
SID: S-1-5-21-2836816441-104769503-548545894-1781
DN: CN=John,OU=Development,OU=MyCompany,DC=MyDomain,DC=MyCompany,DC=com
Identity type: Windows user
Logon name: MyDomain\John
Display name: John
Done.
So, as far as I see, everything is OK here... Let's see further...
C:\...\Tools>TFSSecurity.exe /acl MyDomain\John /server:MyTFServer
TFSSecurity - Team Foundation Server Security Tool
(C) Copyright 2006 Microsoft Corporation. All rights reserved.
The target Team Foundation Server is MyTFServer.
Retrieving the access control list for object "MyDomain\John"...
Error: TF50608: Unable to retrieve information for security object MyDomain\John, it does not exist.
Oops!.. Here it is! Something is wrong here, isn't it? Can you explain this? Why doesn't the security object MyDomain\John exist, if is a member of [MyProject]\Developers which is a member of [MyProject]\All, with all the required access rights, as it was described earlier? What should I do next? Please help! Thank you in advance!
P.S. TFSSecurity.exe /acl for the mentioned project groups [MyProject]\Developers and [MyProject]\All also returns the same error... Why?..
Well, I've just checked permissions with the mentioned tool and... learned nothing new. My project groups,
[MyProject]\All and
[MyProject]\Developers both have
"View project-level information" and
"Edit project-level information" permissions allowed, and nothing denied. However,
MyDomain\John cannot do anything in the project... Is there anybody who can help me? Who can tell me what should I check next to fix the problem? Making
MyDomain\John a project administrator works fine but it isn't a good decision, right?
Stansilav,
Sorry for your problems here. I'm going to get someone from the dev team to try and help you.
Thanks,
I can see two possible causes for this problem. The first is that work item tracking is not being correctly synced to the security system. The second is that the work item tracking system is not correctly evaluating permissions. It is most likely that the problem is the security system to work item tracking sync.
Please try running:
TFSSecurity.exe /imx MyDomain\John /server:MyTFServer
This version of the command will also display all of the groups that MyDomain\John is a member of. This will verify what groups MyDomain\John is a member of, so that we can verify that he should be getting the permissions assigned to groups.
The next thing to do is to check in the App Tier event log to see if there are any errors. This is to make sure that the Work Item Tracking system has synced the group information for the security system.
The final thing to check is the database itself. If you open a query window in SQL management console against your data tier, and run the following select statements:
select next_id - 1 as GSSMaxIdenditySeqId from TFSIntegration..tbl_sequence_ids where name = 'identity_cache'
select max(seqid) as WITMaxIdentitySeqId from TFSWorkItemTracking..ADObjects
select next_id - 1 as GSSMaxNodeSeqId from TFSIntegration..tbl_sequence_ids where name = 'css_node'
select max(seqid) as WITMaxNodeSeqId from TFSWorkItemTracking..TreeNodes
select next_id - 1 as GSSMaxAclSeqId from TFSIntegration..tbl_sequence_ids where name = 'acl'
select max(sequence_id) as GSSMaxAclSeqId from TfsIntegration..tbl_security_acls where action_id like '%WORK_ITEM%'
select max(seqid) as WITMaxAclSeqId from TfsWorkItemTracking..Rules
If sync is working correctly, the GSS and WIT sequence ids should match.
--Matt Hoover
Visual Studio Team Foundation
Software Design Engineer
Thanks, Matt, your answer was the most informative and, I hope, the first real step to the solution of my problem.
C:\...\Tools>TFSSecurity.exe /imx MyDomain\John /server:MyTFServer
shows the following:
TFSSecurity - Team Foundation Server Security Tool
(C) Copyright 2006 Microsoft Corporation. All rights reserved.
The target Team Foundation Server is MyTFServer.
Resolving identity "MyDomain\John"...
SID: S-1-5-21-2836816441-104769503-548545894-1781
DN: CN=John,OU=Development,OU=MyCompany,DC=MyDomain,DC=MyCompany,DC=com
Identity type: Windows user
Logon name: MyDomain\John
Display name: John
Member of 3 group(s):
e 
[SERVER]\Team Foundation Valid Users
[MyProject]\All
[MyProject]\Testers
Done.
So, as far as I see, everything is OK here.
MH> The next thing to do is to check in the App Tier event log to see if there are any errors.
I'm not sure what exact log should I check but there're some warnings and errors in MyTFServer > Administrative Tools > Event Viewer > Application, from the following sources: TFS, TFS Services, TFS Warehouse, and TFS WorkItem Tracking. Should I check something specifically?
MH> The final thing to check is the database itself.
Well, the queries you've specified return the following values:
GSSMaxIdenditySeqId = 1579
WITMaxIdentitySeqId = 1579
GSSMaxNodeSeqId = 374
WITMaxNodeSeqId = 361
GSSMaxAclSeqId = 3529
GSSMaxAclSeqId = 3519
WITMaxAclSeqId = 3271
If I understand right, I have some problems with the synchronization process... How can I fix this?
Morevover, I had one more thread, http://forums.microsoft.com/msdn/showpost.aspx?postid=943697, where my last question, "is there a way to refresh the security cache manually?" (or "is there a way to force the security synchronization process?") still remains unanswered, and now it seems both problems have the same cause, and possibly the same solution?..
Thanks in advance for everything.
It does indeed look like this is a problem with the sync process between Work Item Tracking and GSS. You are looking at the correct part of the event log (Application). The most interesting errors and warnings will be from the TFS Work Item Tracking and TFS Services sources. If you double click on an entry, it will bring up a dialog with details about the entry. On the upper right side of the dialog, below the up and down arrows, is a button that will copy the entry to the clipboard. Could you please copy one instance of each error with a different event number and post it?
Hopefully this will help us track down where exactly the error is occurring.
Matt Hoover
Software Design Engineer
Visual Studio Team Foundation
I've found only two combinations of Event ID and TFS error code among the warnings and errors of "Work Item Tracking" source. The first one, with Event ID = 3000, and TFS error code TF53010, looks like this:
 Event Viewer wrote: |
Event Type: Error
Event Source: TFS WorkItem Tracking
Event Category: None
Event ID: 3000
Date: 11/28/2006
Time: 6:58:27 PM
User: N/A
Computer: MyTFServer
Description:
TF53010: An unexpected condition has occurred in a Team Foundation component. The information contained here should be made available to your site administrative staff.
Technical Information (for the administrative staff):
Date (UTC): 11/28/2006 3:58:27 PM
Machine: MyTFServer
Application Domain: /LM/W3SVC/3/Root/WorkItemTracking-1-128091788309821250
Assembly: Microsoft.TeamFoundation.WorkItemTracking.Server.DataServices, Version=8.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a; v2.0.50727
Process Details:
Process Name: w3wp
Process Id: 8780
Thread Id: 9500
Account name: MyDomain\User1 Detailed Message: TF51334: An unknown Web service error occurred: The remote host closed the connection. The error code is 0x80072746.. Check the Event Log for more information.
Web Request Details
Url: http://MyTFServer:8080/WorkItemTracking/v1.0/AttachFileHandler.ashx?FileID=3610&FileName=Universal Management Console.vsd [method: GET]
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.03; WinFX RunTime 3.0.50727)
Headers: Connection=Keep-Alive&Accept=*%2f*&Accept-Encoding=gzip%2c+deflate&Host=MyTFServer%3a8080&User-Agent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322%3b+.NET+CLR+2.0.50727%3b+.NET+CLR+3.0.04506.30%3b+.NET+CLR+3.0.04506.03%3b+WinFX+RunTime+3.0.50727)
Path: /WorkItemTracking/v1.0/AttachFileHandler.ashx
Local Request: False
Host Address: 192.168.128.44
User: MyDomain\User1 [authentication type: NTLM] Exception Message: The remote host closed the connection. The error code is 0x80072746. (type HttpException) Exception Stack Trace: at System.Web.Hosting.ISAPIWorkerRequestInProcForIIS6.FlushCore(Byte[] status, Byte[] header, Int32 keepConnected, Int32 totalBodySize, Int32 numBodyFragments, IntPtr[] bodyFragments, Int32[] bodyFragmentLengths, Int32 doneWithSession, Int32 finalStatus, Boolean& async)
at System.Web.Hosting.ISAPIWorkerRequest.FlushCachedResponse(Boolean isFinal)
at System.Web.Hosting.ISAPIWorkerRequest.FlushResponse(Boolean finalFlush)
at System.Web.HttpResponse.Flush(Boolean finalFlush)
at System.Web.HttpWriter.WriteFromStream(Byte[] data, Int32 offset, Int32 size)
at System.Web.HttpResponseStream.Write(Byte[] buffer, Int32 offset, Int32 count)
at Microsoft.TeamFoundation.WorkItemTracking.Server.DalGetFileAttachment.JoinBatchGetFileAttachment(HttpResponse response, Byte[] pointer, Int32 fileLength)
at Microsoft.TeamFoundation.WorkItemTracking.Server.DataAccessLayerImpl.GetAndSendFileAttachment(String attachmentServerName, String attachmentDatabaseName, HttpResponse response, String fileGuid)
at Microsoft.TeamFoundation.WorkItemTracking.Server.AttachmentDownloadHandler.ProcessRequest(HttpContext context) |
|
The second one, with Event ID = 3056, and TFS error code TF53010, looks like this:
| Event Viewer wrote: |
Event Type: Error
Event Source: TFS WorkItem Tracking
Event Category: None
Event ID: 3056
Date: 12/12/2006
Time: 12:25:44 PM
User: N/A
Computer: MyTFServer
Description:
TF53010: An unexpected condition has occurred in a Team Foundation component. The information contained here should be made available to your site administrative staff.
Technical Information (for the administrative staff):
Date (UTC): 12/12/2006 9:25:44 AM
Machine: MyTFServer
Application Domain: /LM/W3SVC/3/Root/WorkItemTracking-1-128103891281718750
Assembly: Microsoft.TeamFoundation.WorkItemTracking.Server.DataServices, Version=8.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a; v2.0.50727
Process Details:
Process Name: w3wp
Process Id: 6624
Thread Id: 6716
Account name: MyDomain\User2 Detailed Message: LookupRule: Could not find user for the SID.
Exception Message: LookupRule: Could not find user for the SID. (type ValidationException) Exception Stack Trace: at Microsoft.TeamFoundation.WorkItemTracking.Server.SqlAccess.HandleDalError(Exception e)
at Microsoft.TeamFoundation.WorkItemTracking.Server.SqlAccess.ExecuteBatchPayloadImpl(IRequestContext context, String sqlBatch, List`1 parameterList, Boolean& errorOnBulkUpdate, String connectionString)
at Microsoft.TeamFoundation.WorkItemTracking.Server.SqlBatchBuilder.ExecuteBatchInternal(IRequestContext context, Boolean passInConnectionInfo, String server, String database)
at Microsoft.TeamFoundation.WorkItemTracking.Server.DataAccessLayerImpl.UpdateImpl(String serverName, String databaseName, String attachmentServer, String attachmentDatabase, XmlElement updateElement, MetadataTable[] tablesRequested, Int64[] rowVersions, Payload metadataPayload, Boolean bisNotification, String& dbStamp, Boolean bulkUpdate, Boolean& bulkUpdateSuccess, String userSid)
at Microsoft.TeamFoundation.WorkItemTracking.Server.DataAccessLayerImpl.Update(String serverName, String databaseName, String attachmentServer, String attachmentDatabase, XmlElement updateElement, MetadataTable[] tablesRequested, Int64[] rowVersions, Payload metadataPayload, Boolean bisNotification, String& dbStamp, String userSid)
at Microsoft.TeamFoundation.WorkItemTracking.Server.ProcessSecurityEventMessage.ExecuteBatch(String updateXml)
at Microsoft.TeamFoundation.WorkItemTracking.Server.ProcessSecurityEventMessage.Process()
at Microsoft.TeamFoundation.WorkItemTracking.Server.SecurityEventMessage.Process()
at Microsoft.TeamFoundation.WorkItemTracking.Server.EventMessageHandler.ProcessSecurity(Int32 seqId)
at Microsoft.TeamFoundation.WorkItemTracking.Server.EventMessageHandler.ProcessSecurityEvent() Inner Exception Details: Exception Message: LookupRule: Could not find user for the SID. (type SqlException)
SQL Exception Class: 11
SQL Exception Number: 600152
SQL Exception Procedure: LookupRule
SQL Exception Line Number: 168
SQL Exception Server: MyTFServer
SQL Exception State: 1
SQL Error(s): Exception Data Dictionary:
HelpLink.ProdName = Microsoft SQL Server
HelpLink.ProdVer = 09.00.2047
HelpLink.EvtSrc = MSSQLServer
HelpLink.EvtID = 600152
HelpLink.BaseHelpUrl = http://go.microsoft.com/fwlink
HelpLink.LinkId = 20476 Exception Stack Trace: at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection)
at System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection)
at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj)
at System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj)
at System.Data.SqlClient.SqlDataReader.HasMoreResults()
at System.Data.SqlClient.SqlDataReader.NextResult()
at Microsoft.TeamFoundation.WorkItemTracking.Server.PayloadTableCollection.Populate(SqlDataReader reader)
at Microsoft.TeamFoundation.WorkItemTracking.Server.SqlAccess.ExecuteBatchPayloadImpl(IRequestContext context, String sqlBatch, List`1 parameterList, Boolean& errorOnBulkUpdate, String connectionString) |
|
What else should I do? Thank you.
That second error message has significantly narrowed down the possibilities. Do any of these queries return non-zero results?
If so, change the "select count(*) as ..." lines to "select *", and please send me the results via email. Once I know the properties of the accounts causing problems, I can give you the next step.
thanks,
Sam Heald - MSFT
select
count(*) as MissingIdentitiesFromADObjectsfrom
TfsIntegration..tbl_security_identity_cachewhere
sid not in(
select ObjectSID from TfsWorkitemTracking..ADObjects)
select
count(*) as MissingIdentitiesFromConstantsfrom
TfsIntegration..tbl_security_identity_cachewhere
sid not in(
select SID from TfsWorkitemTracking..Constants)
select
count(*) MissingADObjectsFromConstantsfrom
TfsWorkItemTracking..ADObjectswhere
ObjectSID not in(
select SID from TfsWorkitemTracking..Constants
)
select
count(*) as MissingIdentitiesFromConstantsWithACLsfrom
TfsIntegration..tbl_security_identity_cache idjoin
TfsIntegration..tbl_security_acls aclson id.sid = acls.sidand acls.sequence_id > 3271and acls.action_id like '%WORK_ITEM%'and acls.deleted = 0where
id.sid not in(
select SID from TfsWorkitemTracking..Constants)
select
count(*) as DeletedIdentitiesWithACLsfrom
TfsIntegration..tbl_security_identity_cache idjoin
TfsIntegration..tbl_security_acls aclson id.sid = acls.sidand acls.sequence_id > 3271and acls.action_id like '%WORK_ITEM%'and acls.deleted = 0where
id.sid not in(
select SID from TfsWorkitemTracking..Constants)
and
id.deleted = 1
