Which account should a TFS Build Agent service run under?

2
votes

Background information I need our TFS build agents to run under a specific account so that our ClickOnce certificates are authorised.

However if I run under the account X, which also is the user account of the build controller that has the correct certificates. I get the error: "Source is already in use". Even if I restart the service and/or the virtual machine.

Originally rightly/wrongly our build agents were running under the Network Service account, however this account cannot verify the certificates.

Using the Local System account does not give access to the build controller from a developer box.

So I guess my question is: What account should the service 'Visual Studio Team Foundation Build Service Host' run under?

2
tfstfsbuild

2 Answers

2
votes

It turned out that the account X was the correct choice (our build controller user account, that has few privileges).

It was that the account needed adding to the builders group TFS Admin.

1
votes

My personal suggestion would be: a specifically-created, minimum-privelige account that is only authorised as far as is necessary to build the code on your build machines, and no more.

I'm not aware of any restriction around the user for the build agent vs the build controller, though - in fact I'm sure I've used a similar setup before. Is it possible that your error is misleading? Changing users might be a workaround, but perhaps there's something else fixable going on.