Exception using TFS client in Web App
Hi All
we have a web application which communicates with TFS. This application creates new Work item on the server. We want to create the work item using the credentials of the user logged on to the web application. Therefore we use impersonation in the web app.
The solution works fine until the windows profile of the current user exists on the server, but it crashes immediately if there isn't one (HKCU file is absent). I got the following exception:
Access to the registry key 'HKEY_CURRENT_USER\Software\Microsoft\VisualStudio\8.0\TeamFoundation\Servers' is denied.
System.UnauthorizedAccessException: Access to the registry key 'HKEY_CURRENT_USER\Software\Microsoft\VisualStudio\8.0\TeamFoundation\Servers' is denied. at Microsoft.Win32.RegistryKey.Win32Error(Int32 errorCode, String str) at Microsoft.Win32.RegistryKey.CreateSubKey(String subkey, RegistryKeyPermissionCheck permissionCheck, RegistrySecurity registrySecurity) at Microsoft.Win32.RegistryKey.CreateSubKey(String subkey, RegistryKeyPermissionCheck permissionCheck) at Microsoft.TeamFoundation.Client.RegisteredServers.OpenCurrentUser(Boolean writable, Boolean shouldCreate) at Microsoft.TeamFoundation.Client.RegisteredServers.GetServerForUri(Uri uri) at Microsoft.TeamFoundation.Client.TeamFoundationServer.get_DisplayName() at Microsoft.TeamFoundation.Client.TeamFoundationSoapProxy.ThrowIfUnauthorized(HttpWebResponse response) at Microsoft.TeamFoundation.Client.TeamFoundationSoapProxy.GetWebResponse(WebRequest request) at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters) at Microsoft.TeamFoundation.Proxy.BisRegistrationServiceProxyWsdl.GetRegistrationEntries(String toolId) at Microsoft.TeamFoundation.Proxy.BisRegistrationProxy.GetRegistrationEntries(String toolId) at Microsoft.TeamFoundation.Proxy.BisRegistrationService.RefreshMemoryCache() at Microsoft.TeamFoundation.Proxy.BisRegistrationService.RefreshCachesIfNeeded(Boolean direct) at Microsoft.TeamFoundation.Proxy.BisRegistrationService.GetRegistrationEntries(String toolId) at Microsoft.TeamFoundation.WorkItemTracking.Client.WorkItemStore.GetMiddleTierUrls(String& serverUrl, String& configurationSettingsUrl) at Microsoft.TeamFoundation.WorkItemTracking.Client.WorkItemStore.InitializeInternal() at Microsoft.TeamFoundation.WorkItemTracking.Client.WorkItemStore.Microsoft.TeamFoundation.Client.ITeamFoundationServerObject.Initialize(TeamFoundationServer teamFoundationServer) at Microsoft.TeamFoundation.WorkItemTracking.Client.WorkItemStore..ctor
We tried changing the process identity of the web app to a user with full admin rights. This does not change the behavior.
All your suggestions are highly appreciated.
Regards,
Alex
There are few configurations/restrictions on using OM in web, such as always passing full URL of server instead of friendly name in workitemstore etc. Check the document at http://blogs.msdn.com/psheill/archive/2006/03/03/543120.aspx for complete list and recommendations on how to configure. Pls let us know if you still have trouble after following those suggestions.
Thanks
Naren, thanks for the link.
However, to be honest I feel kind of lost with the Kerberos topic in the document. Can you give me some short outline about the required steps to set it up correctly?
Thanks a lot!
Alex
Alex, I wrote the doc as simple steps, but I am surely not a good document guy :) I would actually implement the configuration changes for impersonation step-by-step as in the document and see if I have any problems. If you have specific questions or problems pls let us know.
After I changed identity of web app to a domain account the error changed to:
Team Foundation Server exception. Cannot setup a connection with "http://tfsserver.company.de:8080/"
update4u.SPS.TFS.TeamException: Team Foundation Server exception. Cannot setup a connection with "http://tfsserver.company.de:8080/" > Microsoft.TeamFoundation.TeamFoundationServerUnauthorizedException: TF30063: You are not authorized to access http://tfsserver.company.de:8080/. at Microsoft.TeamFoundation.Client.TeamFoundationSoapProxy.ThrowIfUnauthorized(HttpWebResponse response) at Microsoft.TeamFoundation.Client.TeamFoundationSoapProxy.GetWebResponse(WebRequest request) at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters) at Microsoft.TeamFoundation.Client.CheckAuthenticationProxy.CheckAuthentication() at Microsoft.TeamFoundation.Client.TeamFoundationServer.Authenticate(Boolean useProvider, ICredentialsProvider provider) at Microsoft.TeamFoundation.Client.TeamFoundationServer.Authenticate() at update4u.SPS.TFS.TeamServer.get_Server() End of inner exception stack trace at update4u.SPS.TFS.TeamServer.get_Server() at update4u.SPS.TFS.TeamServer.get_Store() at update4u.SPS.TFS.TeamServer.FindRelatedWorkItems(String ticketID) at update4u.SPS.TFS.TeamServer.GetBugs(String ticketID) at update4u.SPS.TFS.WebUI.ReviewBugs.ReloadBugs(Boolean isRefresh)
The W3SVC log files on the TFS AT also point out that the web app tries to authenticate at the AT's IIS anonymously. The IE however authenticates using Kerberos at the web app. All participating computers and accounts are trusted for delegation. Furthermore if I switch authentication to Basic in web app, everthing works fine. So everything points to the classical double hop issue.
Any ideas what's wrong?
Thanks a lot in advance!
Regards, Alex
Hi
Where is your web application launched? Is it on the AT or on a different machine where client is installed?
I have launched it on AT machine and assigned the same application pool on which TFS runs.
As this application pool runs as service account, there will not be any accessibility issues.
Did you try this?
Thanks
Sagar
Hi Sagar,
my web app is running on separate server with separate domain account.
Unfortunately I cannot move the web app on same server as AT.
However, I am meanwhile quite sure that problem is related to IIS configuration of the AT server. No web request are authenticated using Kerberos at all. The NTAuthenticationProviders property of IIS metabase is set to "NTLM" for whatever reason. Switching to Negotiate,NTLM makes the IIS stop authentication at all.
So quite for sure this is not a TFS or TFS client problem.
For the fellows trying this as well, be prepared for these pitfalls as SharePoint Services disable Kerberos authentication by default (at least before SP2):
How to configure a Windows SharePoint Services virtual server to use Kerberos authentication and how to switch from Kerberos authentication back to NTLM authentication
http://support.microsoft.com/kb/832769
However, steps described in this KB did not fix Kerberos in my case....
Regards, Alex
Hi,
finally we found a solution for the double hop issue and got Kerberos working.
You should care about these steps in a distributed environment:
* Allow delegation for the AT and Web App server, as well as the TFS service account, and accounts trying to logon (maybe this is too much, have fun trying to lock down by yourself ;) ).
* Set SPN for AT:
setspn -A http/mytfsserver domain\tfsservice
setspn -A http/mytfsserver.domain.com domain\tfsservice
* Check if the AT server itself has the SPN http/mytfsserver registered:
setspn -L domain\tfsservice
If yes, remove it, as a SPN can be registered for one account/computer only.
* Check the IIS property NTAuthenticationProviders for your Web Sites
adsutil ENUM W3SVC/1 (including child nodes)
It must be set to "Negotiate,NTLM" which it is quite often not because of SharePoint configuration.
For analysis:
* Enable Kerberos logging on the AT server (check MS KB) in the registry
* Enable logon/logoff audit and check AT's security event log
* Don't forget to check your DC's security and application event logs as the KDC only logs error messages there.
After all this stuff we are now able to access the TFS web services from a remote Web App using impersonation.
HTH, Alex
