Team Foundation Server Proxy 2008 Self-Help Troubleshooting Guide

In addition to How TFS Proxy 2008 works and TFS Proxy 2008 FAQ, this post focuses on self-help troubleshooting TFS Proxy 2008 issues.  The goal of this post is to guide the reader to troubleshoot simple but very common Proxy issues, or at least to give the reader a general idea what could be wrong.  You may still need to seek for professional help if the issues with your TFS Proxy setup is beyond the scope of this self-help guide.

  1. Make sure Proxy service account and its password are valid.
    1. Make sure Proxy service account is not disabled.
    2. Make sure Proxy service account's password is not expired.
    3. Update Proxy service account password in Proxy AppPool with TfsAdminUtil.exe.  You can find this in the Tools folder under TFS or TFS Proxy installation folder.
    4. If your TFS setup is in a domain environment, you might want to consider running TFS Proxy 2008 with a network service account (It is a convenient trick but it is not officially supported by Microsoft.)
  2. Make sure Proxy service account is allowed and not denied GENERIC_READ permission on TFServer.  This is a bit complicated and will be explained in a paragraph below.
  3. Make sure proxy.config contains the right TFServer address.
    1. Make sure the Server entries in proxy.config use this format http://serverAddress:port/ instead of the old format used by TFS Proxy 2005.
  4. Make sure TFServer and Proxy addesses can be correctly resolved and AppPool is running.
    1. One easy way to test this is to try the following steps:
      1. From a client machine, open http://proxyAddress:port/VersionControlProxy/v1.0/ProxyStatistics.asmx
      2. From a client machine, open http://serverAddress:port/VersionControl/v1.0/ProxyStatistics.asmx
      3. From Proxy server, open http://serverAddress:port/VersionControl/v1.0/ProxyStatistics.asmx
    2. If everything is setting up correctly, for each trial you should see a web page with links such as "Service Description" and "QueryProxyStatistics".
  5. The System Event Log (eventvwr) on the proxy and server machine is another place you can look for issues that block your TFS from working properly.

There is also a troubleshooting guide for TFS Proxy on MSDN: Troubleshooting Team Foundation Server Proxy http://msdn.microsoft.com/en-us/library/ms400681.aspx

The story behind "Make sure Proxy service account is allowed and not denied GENERIC_READ permission on TFServer."

First, three things to know:

  1. TFS permissions can only be assigned to identities recognized by TFS.
  2. A user/group inherits permission settings from its parent group.
  3. Deny overrules Allow.

In order to make Proxy work, we need to make sure Proxy service account is recognized by TFServer and is allowed but not denied GENERIC_READ permission.

Preparation:

  • In a workgroup setup, you must have a local machine account on TFServer machine, which must have the same username and password as Proxy service account's.
  • Locate Tools\TfsSecurity.exe under your TFS installation folder.

The easy way:

Because GENERIC_READ is allowed on the "TF Valid Users" group, therefore we can create a server-level group and add Proxy service account as a member so that the server-level group inherits GENERIC_READ from "TF Valid Users" and Proxy service account inherits GENERIC_READ from the server-level group.

  1. Create a server-level group.  Let's call it "Proxy Service Accounts"
    1. TfsSecurity /server:http://serverAddress:port/ /gcg "Proxy Service Accounts"
  2. Add Proxy service account as a member
    1. TfsSecurity /server:http://serverAddress:port/ /g+ "Proxy Service Accounts" domain\proxyServiceAccount
  3. Done!

The hard way:

If the easy way did not work, then most likely GENERIC_READ is either explicitly and effectively denied for Proxy service account.  To find out where GENERIC_READ is explicitly denied, do

TfsSecurity /server:http://serverAddress:port/ /acl $NAMESPACE

Keep in mind that a user/group inherits permission settings from its parent group.  Check whether Proxy service account inherits "Deny GENERIC_READ" from its parent or grand-parent groups.

Update:

May 20, 2009: Corrected test links to server's proxy statistic page.  Thanks to Len Ocin for pointing it out!

Published 05 February 09 05:16 by tsyang
Filed under: ,

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Comments

# granth's blog said on February 9, 2009 2:03 AM:

Also see the Team Foundation Server Proxy 2008 FAQ and Team Foundation Server Proxy 2008 Self-Help Troubleshooting

# granth's blog said on February 9, 2009 2:05 AM:

Before I joined Microsoft I hadn’t had any exposure to Team Foundation Server Proxy. As you know from

# Len Ocin said on May 19, 2009 11:52 PM:

As for your steps to test things out.

Step 3 (From Proxy server, open http://serverAddress:port/VersionControlProxy/v1.0/ProxyStatistics.asmx) did not work for me, until the PL in Europe pointed out that the VersionControlProxy vdir will only be available on the proxy server.

So I tried http://serverAddress:port/VersionControl/v1.0/ProxyStatistics.asmx instead and that works.

But my Proxy still are not working!  I'm in a blind here (not that experienced with server stuff).

What also is strange, that when I try to go to https://servername:8081 in my browser (on the proxy server), I get an error:

The website declined to show this webpage

Most likely cause:

 - The website requires you to log in.

Of course the site require me to log in, and if I do that last step on my development machine (vista), a login dialog pops up.  Not the case on the proxy server (win 2k8).

Any ideas?

# Len Ocin said on May 19, 2009 11:55 PM:

I lied..if I try that last step on my development machine, I get a login prompt.  After loggin in (yes, right username/password) I get the same error as the server give me.

# tsyang said on May 20, 2009 11:12 AM:

Hi Len Ocin, could you be a bit more specific how your TFS Proxy is not working?  Another place that I missed in the self-help guide is that the event log (eventvwr) on the proxy is usually a good place to see why the proxy is not working.

Leave a Comment

(required) 
(optional)
(required) 

  
Enter Code Here: Required

Search

This Blog

Tags

Syndication

Page view tracker