TFS 2012 Update 1: Permissions lost on attaching a collection–fix available

TFS 2012 Update 1: Permissions lost on attaching a collection–fix available

Rate This
  • Comments 30

[Update 2/1/13]  Finally! We now have the updated fix available. We went through quite a bit of testing. It is important to follow the instructions. Please take a moment to read these. I have copied them here from the KB article. If you tweet, blog or share the link for the patch, please use the KB article link. We still need to get the download page updated with the latest info from the KB article.

If you installed the original patch, you can and should install this patch. This one fixes a few additional issues, as detailed in the KB. You do not need to uninstall the original patch – just install this one to update your server.

This patch only contains fixes for the server, so you do not need to install it on your build, version control proxy, or SharePoint computers.

We apologize again for the disruption and appreciate your patience!

Installation information

Before you install the update:
  • Close any instances of Event Viewer that are running (EventVwr.exe).
  • Close any instances of Server Manager that are running (ServerManager.exe).
  • Close the Team Foundation Administration Console (tfsmgmt.exe).
If you have multiple load-balanced application tiers (ATs):
  1. Shut down all the ATs except for the one on which you will install the update. Make sure that you close the Admin Console on all these ATs.
  2. Remove the AT from the load balancer.
  3. Install the update (as discussed earlier).
  4. After you install the update to the first AT, install the update on the other ATs one at a time.
  5. Add the ATs back to the load balancer.
If you are using SQL Mirroring or SQL AlwaysOn features for your databases:
This update requires your SQL Databases to be set to simple recovery mode.  To make sure that the update can set simple recovery mode for your databases, do the following before you apply the update:
  • If your databases are in a SQL AlwaysOn Availability group, you must remove them from the availability group before you apply the update.
  • If the databases are part of a SQL Server database mirroring, you must remove (break) the mirror before you apply the update. 
As soon as the update process is complete, you may return the databases to the AlwaysOn group or re-enable database mirroring.

The patch is available here.

[Update 1/14/13] We have found that the patch fails to install correctly for installations where TFS is not installed on the primary drive. I apologize that we didn’t find this, and we all feel really bad about it . As a result, we are pulling the update down while we get this fixed. We will get it updated as soon as we can. If you are blocked by the permissions issue, contact CSS to get the fix until we re-release it. If you already have installed it successfully, you can continue to use it.

[Update 1/11/13] Download the fix. We have now release the patch to fix the problem, including restoring the permissions if you’ve already run into this. Within the hour, the KB article for it will be live.

[Update 1/4/13] We have published the list of bugs that will be fixed in the patch. We plan to have the patch available next week. Also, installing the patch will fix the permissions – it turns out they are not permanently lost. I’ve updated the text below to reflect that.

--

We want to let you know that we’ve discovered an issue where permissions are lost on attaching a collection to a server that is running TFS 2012 Update 1 or executing tfsconfig changeServerId (that command is used after cloning an existing server or cloning a collection). If you are not using the feature of detaching and attaching collections to move or clone them, you can ignore the rest of this post.

We are in the process of creating a patch to fix this issue, and it will be available in early January (we’ll post an update when it is available). The issue stems from an infrastructural change that we made for the Team Foundation Service but only affects on-premises installations.

Until the patch is available, we recommend that you do not attach a collection to a server running TFS 2012 Update 1 or that you contact customer support before attaching a collection in order for them to help you install a temporary fix.

There are two issues around the handling of permissions in the collection attachment process. The first issue results in a set of permissions being lost. These are the permissions that indicate which groups and users have access to a collection. Installing the patch will restore the permissions.

The second issue results in a set of permissions not getting imported into the configuration database from the collection database – they are just left in the collection database. Since they are still there, a SQL script can be used to import them.

As a result of the issue, you may see one or more of the following.

  • Contributors are unable to see team projects in the collection from any client (Visual Studio, web access, Team Explorer Everywhere, etc.).
    image
  • Permissions no longer work on collection level groups when the server ID was changed, a collection was migrated from another server, or the same collection was attached multiple times (such as when cloning).
  • Navigating to the team project directly and then going to the admin page results in a “TF400898: An Internal Error Occurred” being displayed for a user who is a member of the Team Project Administrators group.
  • TF50632: An error occurred removing the group member. There is no group member with the security identifier (SID)
    image
  • There are no build process templates in the build definition editor drop down.
    image
  • TF214008: No build definition was found with the URI vstfs:///Build/Definition/4. Either the URI does not exist or <group name> does not have permission to access it.
  • In the Team Explorer Builds page, “No builds exist for this definition” for a definition where there are builds.
    image

If you have been affected by this issue, please contact customer support. They will be able to help you determine the quickest way to recover from the situation.

I apologize for the inconvenience.

Leave a Comment
  • Please add 7 and 1 and type the answer here:
  • Post
  • Thomas, if you are blocked right now and have TFS installed in the default location on the system drive (normally C drive), email me, and I can provide it to you. My expectation at this point is that Monday is when we'll have an updated patch available (note that this could very well change, but it's my estimate based on what I know now).

  • Hello.

    As with most people my team is also in a difficult position of having to wait for this patch for our Test and Prod servers before we can complete the migration and we are running out of time.  We have TFS 2012 installed on the C drive with the OS.  Would I be able to get the patch that would work under these specifications?  Thanks.

  • @Buck: I sent you an email via your blog. I hope you received it. Thanks!

  • Thomas, just sent it to you - sorry for the delay.

  • Jonathan, email me, and I'll get it to you.

  • Hello Buck,

    Would this HF be available this week? Would be handy as we have a planned update 1 rolling out this weekend.

    Thanks

  • Hello Buck,

    Would this HF be available this week? Would be handy as we have a planned update 1 rolling out this weekend.

    Thanks

  • Gary, that is the plan, barring something popping up very late. Sorry for the delay and thanks for your patience.

  • Will we see the patch today?

  • Unfortunately, no. We did hit an issue that will delay it until next week. If you need it, you can email me (buckh-microsoft-com), and I can help you.

  • We've installed the update today but the combo box for build process template is still empty.  Is there any way to fix this manually?

  • Hi Daff. Can you please contact my email directly shsamy@microsoft.com so I can work with you investigating this issue?

  • Okay, email sent :) Thanks!

  • We just migrated to TFS 2012 from 2008 and now everyone has to be a Project Collection Administrator in order to view all the projects in the collection.  I tried applying the patch, but it didn't seem to fix the issue.  Do I need to detach and reattach the collection for the change to take affect?

  • Ryan, no. Please shoot me an email, and I can get you a script to address it. buckh-microsoft-com

Page 2 of 2 (30 items) 12