Azure-pipelines-agent: TFS Build Agent failing against TFS 2017 on premise TF400813: Resource not available for anonymous access. Client authentication required.

What do your IIS auth settings look like? Mine are like this:

Anonymous enabled on the website

Anonymous and Windows auth on the webapp

Negotiate and then NTLM providers
And Enable Kernel-mode authentication checked on advanced settings

iisreset may be required after changes.

oops i got the pictures backwards

can you send ersciple the worker diag log (at microsoft com). it is under the _diag folder under the agent directory.

do you have a proxy server?

if you're not using a proxy, then can you send a fiddler trace too. instructions for redirecting the agent traffic to fidder is here

@slautebach
If you have access to your TFS AT, can you check the event log? there should be an error correspond to the client side error.

We ended up opening a Microsoft Support incident ticket, and they have been looking at the issue. They haven't been able to come up with a solution yet (we sent them the logs, event logs, fiddler traces, etc). I checked the settings as @ericsciple mentioned and they are already already configured as suggested. @TingluoHuang I checked the event log viewer, and found the following error message below.

Log Name:      Microsoft-Team Foundation Server/Debug
Source:        Microsoft-Team Foundation Server
Date:          2017-01-31 9:16:49 AM
Event ID:      0
Task Category: This task has debugging events
Level:         Error
Keywords:      Info Messages
User:          NETWORK SERVICE
Computer:      win2016-tfs.****.com
Description:
TFS ProductTrace Entry
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Team Foundation Server" Guid="{80761876-6844-47D5-8106-F8ED2AA8687B}" />
    <EventID>0</EventID>
    <Version>3</Version>
    <Level>2</Level>
    <Task>1</Task>
    <Opcode>10</Opcode>
    <Keywords>0x8000000000000001</Keywords>
    <TimeCreated SystemTime="2017-01-31T14:16:49.288277300Z" />
    <EventRecordID>196212</EventRecordID>
    <Correlation ActivityID="{4D46F8E4-C464-4FF9-AB3B-3FCBD3D5596C}" />
    <Execution ProcessID="17132" ThreadID="12948" />
    <Channel>Microsoft-Team Foundation Server/Debug</Channel>
    <Computer>win2016-tfs.****.com</Computer>
    <Security UserID="S-1-5-20" />
  </System>
  <UserData>
    <Info TraceId="{00000001-0001-0001-0000-000000000000}  " xmlns="http://schemas.microsoft.com/TeamFoundation/2010/Framework">
      <Tracepoint>5510500</Tracepoint>
      <ServiceHost>{5AEBEE0F-ADC8-4475-AB68-1E6909B5FB45}</ServiceHost>
      <ContextId>3768253</ContextId>
      <ProcessName>w3wp</ProcessName>
      <Username>
      </Username>
      <VSID>{00000000-0000-0000-0000-000000000000}</VSID>
      <Service>
      </Service>
      <Method>
      </Method>
      <Area>Authentication</Area>
      <Layer>Service</Layer>
      <UserAgent>VSServices/15.255.65000.0 (NetStandard) VstsAgentCore-win7-x64/2.105.7 (Microsoft Windows 10.0.14393)</UserAgent>
      <Uri>/tfs/Sandbox/_apis/connectionData?connectOptions=1&amp;lastChangeId=-1&amp;lastChangeId64=-1</Uri>
      <Path>
      </Path>
      <UniqueIdentifier>{C3E50C9D-22B4-4E60-BE0E-CC5675623F41}</UniqueIdentifier>
      <UserDefined>
      </UserDefined>
      <ExceptionType>
      </ExceptionType>
      <Message>Could not find validator for token: {"typ":"JWT","alg":"RS256","x5t":"qRATbduhB09zX3CyRha4WCWNGkQ"}.{"nameid":"c92dd17d-a981-4959-98b6-8d21f06df5a2","scp":"app_token","aui":"7b710508-7fe3-42d9-8b29-c28cd48b292e","sid":"94a5fd78-7406-44c0-8dfb-90831b2dc395","iss":"win2016-tfs.****.com","aud":"win2016-tfs.****.com","nbf":1485872206,"exp":1485876106}</Message>
    </Info>
  </UserData>
</Event>

Microsoft got back to us and gave a recommendation to try with no guarantee. It successfuly worked.

It appears that during our upgrade TFS did not register a OAuth token for the server.

The SQL recommend to execute was:
using the FQDN (ie tfs-server.doman.com)

EXEC prc_SetRegistryValue 1,'#\Configuration\OAuth\TrustedIssuers\tfs-sever.domain.com\','Microsoft.TeamFoundation.Framework.Server.OAuth.ClientAuthTokenValidator'

This prevented all users from logging in after a TFS server reboot.
We then tried with just the server name (ie tfs-server)

EXEC prc_SetRegistryValue 1,'#\Configuration\OAuth\TrustedIssuers\tfs-server\','Microsoft.TeamFoundation.Framework.Server.OAuth.ClientAuthTokenValidator'

This than allowed normal user login and the builds to finally work after a server reboot and re-registering all the build agent.

@slautebach cool, customer support reach us, and we provide the sql script, glad you unblock and thanks for reporting this issue. :)

Hi

I had the same issue and I took a leap of faith and ran the stored procedure described above with the name of my load balanced end point. It worked.

I had to reboot the TFS application servers, but there was no need to re-register the build agents in my case.

Thanks

Jared

Does the just released update1 solve this issue?

@alaiaedu i don't think Tfs2017 update1 has any fix for this particularly issue. since the root cause is a configuration issue.

Thank you slautebach and jaredfholgate! I had just updated from TFS2010 to TFS2017, and was experiencing this problem. I ran the stored proc, then tfsservicecontrol quiesce/unquiesce to restart the application tier. Now my agents are talking to the system. I did not need to reinstall the agents.

@slautebach was there a check to confirm TFS did not register an OAuth token?

TFS 2018 contains a fix to address this problem.

I am seeing this issue on my TFS 2017 server. I have tried running agent on a Windows 10 workstation and from a Windows Server 2012 R2 box both with a designated service account and with the TFS admin account. My XAML builds are working fine and I can't risk moving to 2018 and having no builds. I tried the stored procedure, but it didn't help. If I run the stored procedure with the server's FQDN, I get “Warning! The maximum key length for a clustered index is 900 bytes. The index 'PK_blah_blah' has maximum length of 1044 bytes. For some combination of large values, the insert/update operation will fail.”.
We had everything working fine until I had to rebuild the server on new hardware. Same computer name, but slightly different hardware. I'm using the same certificate.

The warning from "EXEC prc_SetRegistryValue" is expected. That's just SQL being SQL.

Setting it to the FQDN and rebooting didn't seem to help either. Everything works fine in a browser for the account, but I can't get this Agent to work since I rebuilt the server.

@ttolley can you verify it matches the values in the server url configured in the admin console?

Yes, the URL that I use in the stored procedure matches the admin console public URL. It's also the same URL I use when trying to run config.cmd. If I try a different account that shouldn't have permissions, it connects enough to know that that account does not have permissions to configure the agent. The users can connect via visual studio and in the browser. The user that I'm trying to configure the build server with can connect via browser and visual studio. XAML builds still work. The only thing that appears to be broken is the build agent.

@ttolley can you confirm you ran the SQL command against the config db and not the collection db?

I'm was using TFVS 2018 with the same problem.
this script solved my problem.

EXEC prc_SetRegistryValue 1,'#\Configuration\OAuth\TrustedIssuers\tfs-server\','Microsoft.TeamFoundation.Framework.Server.OAuth.ClientAuthTokenValidator'

@janmohammadi - it would be interesting to know the sequence of events for a repro. We know the fix, thought we understood the repo (scenarios where external url changes) but then couldn't repro. Was this an AT move, collection upgrade via attach, server name change, AT(s) behind a new VIP/NLB, etc....?? We had a fix ready to automated running that sql command but then couldn't repro ...

Hi @bryanmacfarlane ,
we are experiencing the same issue.
What we've done:

• Installation of TFS 2018
• Use of TFS with internal IP (fqdn of vm hosting tfs)
• Changing external url to a public url
• using tfs with public url only (Firewall/NAT)
• installation/configuring tfs build agent using internal name and ip without NAT (inside our closed environment)
• configuring test build using public url
• run test build on worker -> crashes with error description above

any recommondations?

in our dev -environment (without confuriguring and using public url), builds work fine

Yes, the URL that I use in the stored procedure matches the admin console public URL. It's also the same URL I use when trying to run config.cmd. If I try a different account that shouldn't have permissions, it connects enough to know that that account does not have permissions to configure the agent. The users can connect via visual studio and in the browser. The user that I'm trying to configure the build server with can connect via browser and visual studio. XAML builds still work. The only thing that appears to be broken is the build agent.

Hi @ttolley

Did you mange to resolve this issue. We are experieneing the exact same problem and the suggested fix does not help. Our agents cannot connect to our TFS instance. Users can connect without issues.

Yes, I did. It was very weird and what I found probably will not help you. We had enabled "Client Certificate Mapping With Active Directory" in IIS. Uninstalling that role from the server fixed my issue. But, this was the second time I ran into this. The first time, I migrated to a new domain and TFS healed itself. It's all very strange and frustrating.

The build agent is extremely finicky and it's making me (as the administrator) strongly recommend that we consider using an alternate source control project. I'm tired of troubleshooting this every time a security change is made on my network. I never had this kind of trouble with the build server pre the agents.