TFS 2010 - Why am I getting "TF30063 You are not authorized to access.." error when impersonating?

5
votes

I am attempting to create a bug in TFS2010 by impersonating a user but always get

"TF30063 You are not authorized to access.."

I first authenticate using a service account and then attempt to impersonate a separate user account. I can successfully create Work Items using either account both programmatically and in the web UI. However, when I try to create the Work Item used an impersonated account (either way around) I always get this error. My code is:

public int Save(List<KeyValuePair<string, string>> values, ticketType type,string user)
    {
        // get the Uri to the project collection to use
        Uri  tfsuri = new Uri("http://94.23.12.119:8085/tfs");            

        // get a reference to the team project collection (authenticate as generic service account)
        using (var tfs = new TfsTeamProjectCollection(tfsuri, new System.Net.NetworkCredential("username", "password", "servername")))
        {
            tfs.EnsureAuthenticated();

            //Now get the details of the user we want to impersonate
            TeamFoundationIdentity identity = GetImpersonatedIdentity(tfsuri,tfs,user);

            //Now connect as the impersonated user
            using (TfsTeamProjectCollection ImpersonatedTFS = new TfsTeamProjectCollection(tfsuri, identity.Descriptor))
            {
                ImpersonatedTFS.EnsureAuthenticated();
                var workItemStore = GetWorkItemStore(ImpersonatedTFS);

                // create a new work item
                WorkItem wi = new WorkItem(GetWorkItemType(type, workItemStore));
                {
                    //Values are supplied as a KVP - Field Name/Value
                    foreach (KeyValuePair<string,string> kvp in values)
                    {
                        if (wi.Fields.Contains(kvp.Key))
                        {
                            wi.Fields[kvp.Key].Value = kvp.Value;
                        }
                    }

                    ValidationResult = wi.Validate();                       
                }

                if (ValidationResult.Count == 0)
                {

                    wi.Save();
                    return wi.Id;
                }
                else
                { 
                    return 0;
                }
            }
        }

    }

It successfully gets the impersonated identity but falls over on 

ImpersonatedTFS.EnsureAuthenticated();

Both accounts have the 'Make requests on behalf of others' permission set.

2
c#tfsimpersonation
How many hops are you making to get to tfs? In the case of multiple nodes X->Y->Z, service on box Y may be able to impersonate the id of the caller on box X. However, it mau not have the right to pass that impersonation onto a service on yet another box Z.user957902
Just one hop as far as I am aware.Simon

2 Answers

1
votes

First let me clarify one thing first. It seems your application is a server application, in which case there is no value in using EnsureAuthenticated(). It is just a performance tuning trick to help UI/desktop clients.

Now back to your main issue: - If your application works as expected when you access locally but fails when you access remotely, then please read on, otherwise this is not the solution for you.

The reason it is failing is because the SPN needs to be added to the service account on the active directory. It is necessary for Kerberos authentication to take place.

This is something that TFS team needs to explain because many developers will forget about it while focusing at the job it hand. Hope this helps.

To learn more about SPN's and Kerberos fundamentals, check out these resources:

I hope this helps.

Thanks!

0
votes

Where do your users have the Make requests on behalf of others permission set? Is it at the Project Collection level (accessed via Team > Team Project Collection Settings > Security..) or at the TFS server level (accessed via Team Foundation Administration Console > Application Tier > Security..) ?

I think your problem is that you only have permission to impersonate at the 'Server' level, but you're trying to impersonate in a collection.

This is what Taylor has to say in his Introducing TFS Impersonation blog post:

This permission is encapsulated within each Team Project Collection and within the Configuration Server. This means that if User A has this permission on TPC1 he will not be allowed to impersonate users when talking to TPC2 or the Configuration Server. Similarly, if User B has this permission on the Configuration Server she will not be able impersonate users when talking to any of the Team Project Collections.