4

We have two Windows domains that do not have trust in between. On the main domain, we have a simple TFS server 2013 setup and in the development domain, we'd like to set up an additional build agent. This build agent will be added to the existing build controller on the TFS machine (the TFS machine already contains a single build controller and agent).

So far I've added the same local user account to both the TFS and development machine. In other words, there is a shadow account with the same name and password on both VM's. I'm running the TFS build service installer under that user and all goes well until it gets to the Configuration step.

This step fails with a "TF400106: Failed to register the build service" and the following stacktrace in the log:

Exception Message: User account DEV\machinename$ not found (type Exception)
Exception Stack Trace:    at Microsoft.TeamFoundation.Build.Config.BuildServiceHostUtilities.CheckServiceAccountMembership(TfsTeamProjectCollection tfsCollection, String serviceAccount)
   at Microsoft.TeamFoundation.Build.Config.BuildServiceHostUtilities.UpdateCollectionPermissions(TfsTeamProjectCollection tfs, String userName)
   at Microsoft.TeamFoundation.Build.Config.BuildServiceHostUtilities.UpdateAuthenticatingAccount(TfsTeamProjectCollection tfsCollection, String fromUser, Boolean canTranslateFromUser, String toUser, Boolean canTranslateToUser)
   at Microsoft.TeamFoundation.Build.Config.BuildServiceHostUtilities.Register(IBuildServiceHost serviceHost, String serviceAccount, String serviceAccountPassword, X509Certificate2 serverCertificate, String authenticatingUserName, Boolean canTranslateAuthenticatingUserName)
   at Microsoft.TeamFoundation.Admin.TeamBuildInstaller.RegisterWithApplicationServer(IAuthenticatedCollectionProvider authenticatedConnectionProvider, IBuildServiceHost host, String collectionUri, Int32 port, AccountInfo serviceAccount, AccountInfo authenticatingAccount, Boolean useHttps, BuildControllerOptions controllerOptions, List`1 agentListOptions, Boolean cleanOldResources, String certificateThumbprint, Boolean requireClientCertificates, ITFLogger logger)
   at Microsoft.TeamFoundation.Admin.ConfigureRegisterBuild.Run(ActivityContext context)

What does that stack trace mean? And is there any chance of this setup working? I did read around the web that it's not well supported but there are also a couple of success stories.

weegee
  • 3,256
  • 2
  • 18
  • 32
Vincent
  • 1,459
  • 15
  • 37
  • is the machine in the "Dev"-Domain? – Oswald Jan 14 '14 at 10:17
  • Yes, the "Dev" domain is our development domain. The stacktrace comes from a machine within the "Dev" domain. – Vincent Jan 14 '14 at 10:32
  • and exists this useraccount? You can specify the useraccount in the configuration wizard or later in the BuildConfiguration in the Team Foundation Server Administration Console – Oswald Jan 14 '14 at 16:39
  • Specifying the shadow user account in the configuration wizard does not change the outcome. And I'm running the TFS Administration Console as the shadow user. – Vincent Jan 15 '14 at 10:09
  • Does ist works with a non-shadow user? – Oswald Jan 15 '14 at 10:19
  • No. I initially authenticated with credentials from the "main" domain during the "Select a Collection from the TFS server" step. This allowed me to select a Collection but resulted in the same error as mentioned above. – Vincent Jan 15 '14 at 10:24
  • Can you try to start the setup as a user with access to the tfs (and is no shadow)? – Oswald Jan 15 '14 at 10:26
  • No, I can not run the setup as a non-shadow user with access to TFS. There is no trust in between the domains thus I can not add a user from the Development domain to the TFS server. – Vincent Jan 15 '14 at 10:38
  • http://msdn.microsoft.com/en-us/library/ms400682(v=vs.110).aspx <-- There is written: "Two-way trust". So I think the two domains must trust eachother – Oswald Jan 15 '14 at 14:10

1 Answers1

3

It turns out the above is indeed possible but only with a few hacks. First you need to run through the install by entering a domain account at the point where it asks for "an account to run the service under". The wizard will be happy with a domain account from the DEV domain and complete. The domain account is one from the Dev domain and there is no equivalent in the main domain.

At this point you are left with an error in the eventlog stating "You are not authorized to access ...". Now the hacking begins. You have to go to the services console (start->run->services.msc) and manually change the "Log On As" account for the "Visual Studio TFS Build Service Host 2013" service to your shadow account (i.e. the local account that exists on both the build server and the TFS server with the same name and password). You will need to restart the service for it to take effect. This should stop the error from showing up in the eventlog.

Lastly, you can go to the TFS Administration Console and add an agent. And now you should be able to send builds it's way.

The reason you can not configure the account through TFS Administation Console is because it does not allow a local account to be specified at "Connect to TFS as". This of course makes sense since normally a local account is not recognized outside of the box. The checkbox of "Use the same identity as Windows Service" is checked by default so it will use whatever account was specified as the "log on as service" account.

I hope this saves someone out there some serious head scratching.

Vincent
  • 1,459
  • 15
  • 37
  • Nice solution! The only thing here is that it cannot register the service with the Network service account. The error then is : User not found domain\machine$ – Kenny Saelen Jan 24 '14 at 19:23
  • Thank you. I made a mistake in my answer above. I ended up using a DEV domain account at the wizard (where it asks for "an account to run the service under"). Network service did not work indeed. – Vincent Jan 27 '14 at 07:38
  • I'm curious if this solution changed with Update 2? When I enter the DEV domain account I receive the error "User account DEV\devuser not found" and can't get past that error. I assume the error is coming from the TFS server in the main domain... – Jason Capriotti Jul 03 '14 at 15:29
  • You do know that you need to use your own domain name, right? So you should replace DEV with your own domain name. I somehow doubt this hack will stop working with update 2, but we will be installing it soon so I'll post back the results. – Vincent Jul 04 '14 at 06:19