0
  • Using an on-premises build server with Azure DevOps Services
  • Build agent configured to use an AD account with administrative privileges on the build server
  • Pipeline executes a Powershell script which, in turn, executes the tf.exe utility
  • Specific command is tf.exe vc workspaces /collection:[Azure collection address]
  • Command fails with F30063: You are not authorized to access [Azure collection address]
  • Thought the problem could be resolved by providing the build agent's user/pass with the /login switch. But this seems to make no difference to the workspaces command

This problem can be temporarily resolved by:

  • Log onto build server using the same account that is used by the build agent
  • Open a Visual studio command prompt
  • Run the command: tf.exe vc workspaces /collection:[Azure collection address]
  • At this point, the Microsoft login screen is displayed e.g.
  • Provide the login with the build agent's credentials
  • Command runs successfully
  • If the pipeline is run again after this, it will run successfully as well
  • But after an seemingly variable period of time (sometimes days), this authentication appears to expire and the pipeline begins throwing the "unauthorized access" error again
  • Then the "fix" with the command line needs to be repeated

What needs to be done to persist the authentication within the pipeline (or Powershell script) so the account information does not need to be manually reentered?

user1617242
  • 53
  • 1
  • 5

2 Answers2

0

By default the Visual Studio will cache the credentials automatically. And if we want to change the login credentials information, we need to clear the caches and re-enter the new credentials.

  1. Open Command Prompt window and navigate to Visual Studio installation path: cd Program Files (x86)\Microsoft Visual Studio\2017\Enterprise\Common7\IDE​
  2. Start your Visual Studio use runas command: runas /netonly /user:TFSCredentialUser devenv.exe
  3. Now it will prompt you type the password of the user. Please type your new password to open your Visual Studio. If you type the wrong password, it will prompt you type the password again after Visual Studio starting.

You could also refer to this ticket to clean the credentials

Vito Liu
  • 7,525
  • 1
  • 8
  • 17
  • Followed the instructions in the referenced ticket and deleted the folders VS uses for caching. The credential manager did not have an entry for the account were using to run the pipeline/script, so no changes there. Started VS using the "runas" command using the appropriate account credentials. On start, Team View shows the message "You do not have access to [Azure collection address]". Visual Studio never prompts for any logon information. I'd expect TeamViewer would be able to access Azure after this procedure. – user1617242 Jan 03 '21 at 15:23
  • Hi @user1617242, please check Levi answer and then kindly share the result here. – Vito Liu Jan 05 '21 at 09:49
  • I'm not sure how I would register this pipeline with OAuth service as there is no URL to register (provided I'm correctly understanding how OAuth works; in addition, the docs state OAuth is not recommended for on-prem servers like this one). Tried generating a PAT with the build server agent's account and included that as the password in the script. That did not work either. The link Levi provides in his post is pretty much the exact scenario that I am facing. It does not appear as though they were able to come up with a satisfactory solution to the issue. Still open to suggestions, however. – user1617242 Jan 05 '21 at 18:22
  • Hi, If Levi answer could help you, would you please [accept it](https://meta.stackexchange.com/questions/5234/how-does-accepting-an-answer-work/5235#5235) as the answer? So it could help other community members who get the same issues and we could archive this thread. Thanks. Have a nice day. :) – Vito Liu Jan 06 '21 at 10:09
  • Levi's answer did not resolve my problem. But the [link](https://stackoverflow.com/questions/49868046/how-to-connect-tfs-online-using-pat-or-oaut) he included in the response describes the exact same issue that I'm having. There was not a resolution in that question either, unfortunately. – user1617242 Jan 06 '21 at 20:32
0

You can have a try using the System.accesstoken to login in the build pipeline by specifying the /loginType:OAuth. See below example:

tf.exe workspaces /collection:https://collection.visualstudio.com/ /loginType:OAuth /login:.,$(System.AccessToken) /noprompt

In order to access the System.accesstoken in your pipeline. You need to edit your pipeline and click on the agent job node where the command line task will be running under then select ”Allow scripts to access the OAuth token”. See here for more information.

Please also check out this similar thread.

Levi Lu-MSFT
  • 27,483
  • 2
  • 31
  • 43