I have been attempting to run a Team Foundation build server on a separate machine outside our domain. Install and connectivity between the servers was no problem but once we got the build configuration up and tried to perform a build from Team Explorer we got an error:
TF42056: The build service could not connect to the Team Foundation Server: TF30063: You are not authorized to access https://myserver.
I tried all our standard solutions:
- Set https://myserver as local intranet in Internet Explorer security settings.
- Stored username and password in the control panel applet.
- Cached username and password in Team Explorer
The IDE works perfectly but nothing works when we run Team Build, it turns out that this is an unsupported configuration due to the Team Build service not picking up locally configured alternate credentials. It’s a known issue in v1 for some of the command line tools. So far there doesn’t seem to be a workaround that could fix this, perhaps SP1 will add alternate credential support for all the command line tools.
These MSDN forum threads didn’t really help us but might help others with non-domain related issues:
I continued searching for info on this and found http://msdn2.microsoft.com/en-US/library/ms400712(VS.80).aspx#:
The Team Foundation client is in a workgroup instead of a domain, but Team Foundation Server is deployed in a domain. Local user accounts must be created on the Team Foundation client computers. If you do not want to require users to type a user name and password every time that a Team Foundation client must connect to Team Foundation Server, make sure that the local user accounts use the same user name and password as the domain user names. For more information, see.
I couldn’t get a local workgroup account set up so that it mapped to a domain account but I attempted a completely local configuration which did work even though my Team Foundation Server is set up in a domain:
- Create a local build user account (tfsbuilder) on the Team Foundation server.
- Add the tfsbuilder account to the Build Service TFS group for your project, this has to be done through Team Explorer on the TFS server since clients can’t add local accounts to the TFS server.
- Create a local build user account (tfsbuilder) on the build server.
- Give the tfsbuilder account all required permissions. I’m not sure which they are but I added the user to the Power User group and this works.
- Change the logon account for the Team Build Service to you local tfsbuilder account also giving the user log on as service permission.
- Restart the team Build Service.
- Kick off a build from your client and things should work smoothly!
The same solution should work for all command line tools using the “run as” start method.