Author: Arun Ramalingam Reviewed by: Lakhminder Singh

Environment: TFS 2010 wired with MOSS 2007 and Installed on different machines. The MOSS server is set to work with “Kerberos” authentication.

The TFS2010 with MOSS wiring steps is available the MSDN link: http://msdn.microsoft.com/en-us/library/ee462861.aspx , if we notice these steps are for an environment that is set to use NTLM authentication. We can use the same steps for wiring a MOSS 2007 instance configured with Kerberos authentication but you may face some issues, read on how to mitigate it.

Issue:

With this environment, while creating a new Project collection you may encounter an issue with SharePoint site collection creation. This would throw a warning and skip the Site collection creation, but the rest of the Project collection components will be created.

You may also see the warning message as outlined below:

TF252005: Configuration of SharePoint Products failed with the following error: TF250046: A SharePoint site cannot be created at the following location: http://tfs/Sites/ProjCollection. The following user account does not have the required permissions in SharePoint Products to create a site at that location: <Domain>\TFSService. The server returned the following error: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)). You must grant the user account the permissions required to create site collections. For more information, see the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=161206).

SharePoint ULS log:

Unknown SPRequest error occurred. More information: 0x80070005

The site /Sites/ProjCollection could not be created. The following exception occurred: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))

Exception Message: TF250046: A SharePoint site cannot be created at the following location: http://tfs/Sites/ProjCollection. The following user account does not have the required permissions in SharePoint Products to create a site at that location: <Domain>\TFSService. The server returned the following error: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)). You must grant the user account the permissions required to create site collections. For more information, see the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=161206). (type TeamFoundationServerException) Exception Stack Trace: at Microsoft.TeamFoundation.SharePoint.TeamFoundationIntegrationService.CreateSiteCollection(Uri siteUrl, String title, String description, UInt32 localeId, String templateName, fa25e2e1-3227-4c41-acf0-592637f36315

Cause:

The service account TFSservice, even though had the “Farm administrator” permissions, it was not able to create a site collection. This is because of the fact that the MOSS farm is set to use Kerberos authentication, but TFS is set to run with NTFS (Windows integrated) authentication and a service principal name is not set for the TFSservice account.

Workaround/Fix:

While integrating a MOSS instance/ farm that is set to use Kerberos authentication, a Service Principal Name is to be set for the TfsService account on the “SharePoint web application” that will host the project portal sites in the “Central administration” site of the MOSS instance /farm.

To set the Service Principal Name (usually done by the Domain administrator), we can use the SetSPN.exe tool. The syntax is given below:

Setspn.exe –S <web application url> <domain/TfsService>

Setspn.exe –S <Central admin url> <domain/TfsService>

To validate the SPN that is set for the TfsService account on these two url’s, run the following command

Setspn.exe –L<domain/TfsService>

This command will list the SPN assigned urls and services for the TfsService account.