1

Unable to connect to TFS2015

Getting the "Something Broke Down"error when trying to add a TFS connection.

Log file shows the following:

[2017-02-01 15:51:10.817] [DEBUG] main - LocalWebService started
[2017-02-01 15:51:10.819] [DEBUG] main - ApplicationManager start complete
[2017-02-01 15:51:10.819] [DEBUG] main - Opening dashboard
[2017-02-01 15:51:12.831] [DEBUG] main - App state changed. User signed in:  false
[2017-02-01 15:51:13.828] [DEBUG] main - Opened dashboard on start: http://127.0.0.1:60295/?onStart=true
[2017-02-01 15:51:13.829] [DEBUG] main - Tray app initialization complete
[2017-02-01 15:51:15.950] [INFO] console - Tray icon status: [object Object].
[2017-02-01 15:51:38.799] [INFO] console - web stdout: fail
[2017-02-01 15:51:38.799] [INFO] console - web stdout: : Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware[0]
      An unhandled exception has occurred while executing the request
System.Net.Http.HttpRequestException: Response status code does not indicate success: 500 (Internal Server Error).
   at System.Net.Http.HttpResponseMessage.EnsureSuccessStatusCode()
   at Web.Services.Tfs.TfsAdapterBase.EnsureSuccessfulResponse(HttpResponseMessage response) in C:\Build\2\_work\2\s\Desktop\LocalWeb\Services\Tfs\TfsAdapterBase.cs:line 411
   at Web.Services.Tfs.TfsAdapterBase.<>c__DisplayClass27_0`1.<<TfsGet>b__0>d.MoveNext() in C:\Build\2\_work\2\s\Desktop\LocalWeb\Services\Tfs\TfsAdapterBase.cs:line 314
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult()
   at Web.Services.Tfs.TfsAdapterBase.<>c__DisplayClass29_0`1.<<InvokeWithAuthRetryAndLimiting>b__0>d.MoveNext() in C:\Build\2\_work\2\s\Desktop\LocalWeb\Services\Tfs\TfsAdapterBase.cs:line 344
<SNIP>

Using fiddler I see the response for /tfs/<collection>/Hub/_apis/build/definitions?api-version=2.0 is a 500 with the following content. I have no problems connecting to this team collection via VS or Web.

{"$id":"1","innerException":null,"message":"TF401027: Your account (<domain\user.account>) lacks the permission(s) required for the operation you are attempting. You need to have 'GenericRead'. Please contact your administrator.","typeName":"Microsoft.TeamFoundation.Git.Server.GitNeedsPermissionException, Microsoft.TeamFoundation.Git.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","typeKey":"GitNeedsPermissionException","errorCode":0,"eventId":3000}

2 replies

Thanks for detailed description! 

We use TFS API request to get the list of build definitions for the project - https://www.visualstudio.com/en-us/docs/integrate/api/build/definitions . It should not require any special permissions in the default TFS configuration, and any user that has access to the project should be able to execute it. 

Build definition listing may include the names of the branches that were built. This could explain git exception about missing read permissions. However, TFS API does not have an option to get less information from this request, and skip those branch names.

Does your TFS server has some additional security restrictions on the project "Hub", like explicit permissions denies? Can you see the list of build definitions for this specific project in TFS web UI?

Thanks, that's pointed me in the right direction - I have temporarily added back permissions to that project - it had explicit deny on the contributors group, as it's a project we want to keep in source control for audit purposes but don't want anyone checking out or building - and now I can connect.

Would it be possible in a future to skip projects when TFS returns a Microsoft.TeamFoundation.Git.Server.GitNeedsPermissionException for that project? Ideally we are looking to add explicit deny for some user groups to some of our other projects, and this would stop those users from using catlight.

Thanks for the help, and the awesome software :)

Have you considered removing access for certain users on a project level? If the user does not have any access to the project, then TFS would not return it in API response, and CatLight will not try to access it. I think this can be achieved if users are not participating in "contributors" or any other project groups. After this change, this project should also be inivisble for them in TFS Web UI.