PAT Token isn't working on 2019 OnPrem Azure DevOps

0
votes

I am having an issue getting my OnPrem Azure DevOps 2019 Server to allow things to authenticate to it with Personal Access Tokens (PAT). No mater what I do, I get failed to authenticate using the supplied token.

How I am creating my token:

  1. Log into my OnPrem devops site
  2. Go to my user profile icon in the top right, click security click personal access tokens, click new token
  3. In Create new personal access toekn for some reasobn the organization (colleciton) I want to use is not listed, I am seeing an old XML based collection but not my new Inheritance based collection, why doesn't the newer format collection show up? My user account is an admin account, you'd think it would be here?
  4. If I create a PAT token for the old XML based collection and give it full access plus a 90 day expiration it creates it fine

Now I have a PAT token bases off the old XML based collection, but that still doesn't work, if I run the AZ CLI I get this

AZ DEVOPS LOGIN --organization https://tfs.mydomain.com/OldXmlCollection --verbose
Token: {paste in token}
Creating connection with personal access token.
Failed to authenticate using the supplied token.
Command ran in 6.385 seconds (init: 0.167, invoke 6.12)

I also have the same problem if I try to set up a build agent using a PAT token. Fails every time, but if I change to negotiate auth it works immediately.

On the IIS end the service is running on the authentication is set up to Anonymous Authentication: Enabled, ASPS.NET Impersonation: Disabled, Basic Authentication: Enabled, Digest and Forms: Disabled and Windows Authentication: Enabled

any ideas what I am doing wrong, what to look at?

2
azure-devops
Just to add to this, when doing a curl to azure devops I can get back a valid response when I use acual user and passwords with basic authentication. If I do: curl -u {actual_user}:{actual_password} "tfs.mydomain.com/OldXmlCollection/_apis/projects" I get a valid JSON response with a list of projects in that collection/organization If I do it with my PAT token curl -u :{PAT} "tfs.mydomain.com/OldXmlCollection/_apis/projects" I get back HTML with "401 - Unauthorized: Access is denied due to invalid cedentials" as the HTML response's titleBlueBSH
Have you tried it with the PAT for all organization? And if this issue also occurred for other organization?Leo Liu-MSFT
yeah, I've tried all and singular... always unauthorized even with full access even made a new collection on the server and same resultBlueBSH
I can get PAT tokens to work with DevOps on Azure, just tried that worked as expected... I spun up a Windows Server 2019 VM with a Azure DevOps 2020 Update 1 install to test against, get the same exact error HTTP 401 Unauthorized, watching with Fiddler it seems to be talking to dc.services.visaulstudio.com, which is odd because this is an OnPrem server and the URL I am talking to is the OnPrem server URLBlueBSH
It's actually not because of basic authentication, it's because of a missing ACL in the file systemBlueBSH

2 Answers

0
votes

PAT Token isn't working on 2019 OnPrem Azure DevOps

You could try to disable IIS Basic Authentication.

That because when IIS Basic Authentication is enabled on your windows machine, it prevents you from using personal access tokens (PATs) as an authentication mechanism.

Please check this document Enabling IIS Basic Authentication invalidates using Personal Access Tokens for some more details.

0
votes

What it turned out to be is a missing ACL in the file system. The service account that is running TFS needs to have write permission to the machine keys folder at %ProgramData%\Microsoft\Crypto\RSA\MachineKeys

Why in the world is the installer not setting this permission? PAT will not work until this is set