Azure-pipelines-agent: Authentication issue from agent on Ubuntu to the TFS 2015 OnPrem

Created on 4 May 2016  路  4Comments  路  Source: microsoft/azure-pipelines-agent

Hi, It looks very promising!

I installed .NET Core and the agent on Ubuntu 14.04.4 LTS.
Added all chains of certificates from tfs.company.com to /etc/ssl/certs/ca-certificates.crt
However, I got an authentication issue.

buildaccount@linuxvm:~/agent$ ./run.sh configure --url https://tfs.company.com/tfs --agent linuxvm --pool PoolName --auth Negotiate --username DOMAIN\\buildaccount

>> End User License Agreements:

Building sources from a TFVC repository requires accepting the Team Explorer Everywhere End User License Agreement. This step is not required for building sources from Git repositories.

A copy of the Team Explorer Everywhere license agreement can be found at:
  /home/buildaccount/agent/externals/tee/license.html

Enter accept the Team Explorer Everywhere license agreement now? (Y/N) (press enter for N) > Y

>> Connect:

Enter password > **************
Connecting to server ...
An error occurred while sending the request.
Failed to connect.  Try again or ctrl-c to quit
Enter password > Exiting...

Here is the part of the log:

[2016-05-04 20:42:44Z ERR  Terminal] System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.Http.CurlException: SSL peer certificate or SSH remote key was not OK
   at System.Net.Http.CurlHandler.ThrowIfCURLEError(CURLcode error)
   at System.Net.Http.CurlHandler.MultiAgent.FinishRequest(EasyRequest completedOperation, CURLcode messageResult)
   --- End of inner exception stack trace ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Runtime.CompilerServices.ConfiguredTaskAwaitable`1.ConfiguredTaskAwaiter.GetResult()
   at Microsoft.VisualStudio.Services.Common.VssHttpMessageHandler.<SendAsync>d__17.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Net.Http.HttpClient.<FinishSendAsync>d__58.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Runtime.CompilerServices.ConfiguredTaskAwaitable`1.ConfiguredTaskAwaiter.GetResult()
   at Microsoft.VisualStudio.Services.WebApi.VssHttpClientBase.<SendAsync>d__45.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Runtime.CompilerServices.ConfiguredTaskAwaitable`1.ConfiguredTaskAwaiter.GetResult()
   at Microsoft.VisualStudio.Services.WebApi.VssHttpClientBase.<SendAsync>d__42`1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Runtime.CompilerServices.ConfiguredTaskAwaitable`1.ConfiguredTaskAwaiter.GetResult()
   at Microsoft.VisualStudio.Services.Location.Client.LocationHttpClient.<GetConnectionDataAsync>d__6.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Runtime.CompilerServices.ConfiguredTaskAwaitable`1.ConfiguredTaskAwaiter.GetResult()
   at Microsoft.VisualStudio.Services.Client.VssServerDataProvider.<ConnectAsync>d__39.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.VisualStudio.Services.Agent.AgentServer.<ConnectAsync>d__3.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.VisualStudio.Services.Agent.Listener.Configuration.ConfigurationManager.<TestConnectAsync>d__9.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.VisualStudio.Services.Agent.Listener.Configuration.ConfigurationManager.<ConfigureAsync>d__7.MoveNext()

Two questions:

  1. Does the agent use the certificates installed in the Linux?
  2. Does NTLM authentication work on v2.99.0?
picture rusergeev
😄1

All 4 comments

This preview is only targetting VSTS.

But, you cutout a key piece of info. Which auth type did you select when configuring? What did it default to?

Most pieces should be in place for it to at least get this far and config via ntlm so adding Stan on cert question.

If you get past config next piece that won't work is git. We're doing work in git core to ensure the bearer token we get can get through the front door. We're also doing work in the TFS on-prem server to allow bearer tokens through. We might be able to provide instructions for current TFS, we'll see. So a bunch of stuff has to come to get for the next version of TFS for this to all hang together.

bryanmacfarlane picture bryanmacfarlane on 5 May 2016

Closing since nothing to fix (preview not supported on prem yet and when it does will be next TFS on prem). When we release, we will support this agent against TFS 2015 but you have to use PAT as authentication type and enable basic auth since as I outlined above, takes server work to get it to all hang together.

@rusergeev - watch for future (soon) preview that will support PAT to TFS2015. We're waiting on a git core release slated for June to support this.

bryanmacfarlane picture bryanmacfarlane on 5 May 2016
👍1

Q. Does NTLM authentication work on v2.99.0?
A. If you select "Negotiate" auth type on Ubuntu 14.04, you should be able to connect to on premise TFS.

The exception says "SSL peer certificate or SSH remote key was not OK". I suggest to try to open the TFS in a browser to verify that all certs were installed correctly.

stiliev picture stiliev on 5 May 2016
👍1

OK, it works. The problem was in certificates, I suppose.

rusergeev picture rusergeev on 5 May 2016
1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

averelon picture averelon  路  3Comments
AceHack picture AceHack  路  3Comments
TLaborde picture TLaborde  路  3Comments
fernisoites picture fernisoites  路  4Comments
muthurathinam picture muthurathinam  路  3Comments