TFS构建代理引发“未授权”异常

Question

我们已将TFS 2013服务器升级到TFS 2015，并且正在设置新的构建代理。

在此之前，我们进行了一次试运行，并在我们对现有TFS数据库进行了最终转换之前，让所有的工作合理地完成。构建代理工作得很好。

令我们惊讶的是，我们的构建代理不再合作升级后。创建一个简单的构建定义并将其分配给默认队列会导致在10-15秒后引发错误。

我们尝试重新部署构建代理，玩弄权限和用户，但无济于事。

我们所得到的是这样的_diag \日志：

11:18:09.699993 JobManager.StartJob(job.JobId = a9702f31-2dff-4057-8253-a32ebc106f32) 
11:18:09.699993 JobInfo.ctor 
11:18:09.699993 JobInfo.ctor - leave 
11:18:09.699993 JobManager.StartJob - calling JobWriter.StartJob 
11:18:09.699993 JobWriter.StartJob - enter 
11:18:09.699993 JobWriter.StartJob - (SKIPPING)first renew 
11:18:09.715619 JobWriter.StartJob - start continual renewing 
11:18:09.715619 AuthorizationType : OAuth 
11:18:09.731245 --------------------------------------------------------------------------- 
11:18:09.731245 Microsoft.VisualStudio.Services.WebApi.VssServiceResponseException: Unauthorized 
11:18:09.731245 at Microsoft.VisualStudio.Services.WebApi.VssHttpClientBase.HandleResponse(HttpResponseMessage response) 
11:18:09.731245 at Microsoft.VisualStudio.Services.WebApi.VssHttpClientBase.<SendAsync>d__79.MoveNext() 
11:18:09.731245 --- End of stack trace from previous location where exception was thrown --- 
11:18:09.731245 at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) 
11:18:09.731245 at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) 
11:18:09.731245 at Microsoft.VisualStudio.Services.WebApi.VssHttpClientBase.<SendAsync>d__76`1.MoveNext() 
11:18:09.731245 --- End of stack trace from previous location where exception was thrown --- 
11:18:09.731245 at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) 
11:18:09.731245 at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) 
11:18:09.731245 at Microsoft.VisualStudio.Services.Location.Client.LocationHttpClient.<GetConnectionDataAsync>d__6.MoveNext() 
11:18:09.731245 --- End of stack trace from previous location where exception was thrown --- 
11:18:09.731245 at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) 
11:18:09.731245 at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) 
11:18:09.731245 at Microsoft.VisualStudio.Services.Client.VssServerDataProvider.<ConnectAsync>d__39.MoveNext() 
11:18:09.731245 --- End of stack trace from previous location where exception was thrown --- 
11:18:09.731245 at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) 
11:18:09.731245 at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) 
11:18:09.731245 at Microsoft.TeamFoundation.DistributedTask.Agent.Common.ConnectionHelper.GetConnection(Uri serverUri, VssCredentials credentials) 
11:18:09.731245 at Microsoft.TeamFoundation.DistributedTask.Agent.JobWriter.StartJob() 
11:18:09.731245 at Microsoft.VisualStudio.Services.WebApi.VssHttpClientBase.HandleResponse(HttpResponseMessage response) 
11:18:09.731245 at Microsoft.VisualStudio.Services.WebApi.VssHttpClientBase.<SendAsync>d__79.MoveNext() 
11:18:09.731245 --- End of stack trace from previous location where exception was thrown --- 
11:18:09.731245 at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) 
11:18:09.731245 at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) 
11:18:09.731245 at Microsoft.VisualStudio.Services.WebApi.VssHttpClientBase.<SendAsync>d__76`1.MoveNext() 
11:18:09.731245 --- End of stack trace from previous location where exception was thrown --- 
11:18:09.731245 at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) 
11:18:09.731245 at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) 
11:18:09.731245 at Microsoft.VisualStudio.Services.Location.Client.LocationHttpClient.<GetConnectionDataAsync>d__6.MoveNext() 
11:18:09.731245 --- End of stack trace from previous location where exception was thrown --- 
11:18:09.731245 at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) 
11:18:09.731245 at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) 
11:18:09.731245 at Microsoft.VisualStudio.Services.Client.VssServerDataProvider.<ConnectAsync>d__39.MoveNext() 
11:18:09.731245 --- End of stack trace from previous location where exception was thrown --- 
11:18:09.731245 at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) 
11:18:09.731245 at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) 
11:18:09.731245 at Microsoft.TeamFoundation.DistributedTask.Agent.Common.ConnectionHelper.GetConnection(Uri serverUri, VssCredentials credentials) 
11:18:09.731245 at Microsoft.TeamFoundation.DistributedTask.Agent.JobWriter.StartJob() 
11:18:09.731245 --------------------------------------------------------------------------- 

运行交互或作为服务没什么区别。我已经将构建代理的服务用户列为“代理池服务帐户”角色的成员。

我相信这是有问题的请求：

GET https://tfs:8443/tfs/DefaultCollection/_apis/connectionData?connectOptions=IncludeServices&lastChangeId=-1&lastChangeId64=-1 HTTP/1.1 
User-Agent: VSServices/14.102.25423.0 (VsoAgent.exe) VsoAgent.exe/1.95.3 
Accept-Language: en-US, nb-NO 
X-TFS-FedAuthRedirect: Suppress 
X-TFS-Session: 7a2e6368-a564-4231-bbd6-xxxxxxxxxx 
X-VSS-Agent: VSS: b5d9c453-017f-407c-ac00-b479d0d0e8ed 
Authorization: [huge bytesequence] 
Host: tfs:8443 
Accept-Encoding: gzip 

这是用401我自己的管理用户的回报却是能够加载此URI就好了。

我自己的管理员用户是我设置代理时使用的用户。我也尝试从这个用户交互式启动vsoagent.exe ...但没有去。在行之间进行阅读（并查看一些角色），有一位用户将运行代理的计算机的名称删除。我想这个用户是最初创建的，并且是实际使用的用户。我如何才能控制这种情况？

编辑：如果我从没有包括在“代理池服务帐户”的池的列表中的用户身份运行vsoagent.exe交互，那么代理商立即犯错了与Access denied. admrunem needs Listen permissions for pool Regular to perform the action. For more information, contact the Team Foundation Server administrator.。在列表中添加admrunem让我进一步了解了一点，即我试图诊断的错误消息（“未授权”异常）。注意：此时它使用NTLM授权，然后致命的呼叫似乎切换到OAUTH。

Answer 1

1. 确保运行代理的帐户位于“代理池服务帐户”角色中。

2. 确保在集合中设置了队列（https://your-tfs-server:8080/tfs/your-collection/_admin/_AgentQueue）。如果不是 - 选择“新队列..”并选择现有队列。

3. 请确保您完全按照this article部署Windows构建代理。
4. 尝试更改作为构建代理服务帐户组成员的域帐户并且属于“代理池服务帐户”角色，以查看代理是否可以工作。

Answer 2

检查是否在Team Foundation Server IIS网站上启用了“Windows身份验证”。这解决了我们的问题。