Wednesday, 8 June 2016

Deploying to an Untrusted Domain–TFS 2015 Release Management Service

To setup an Agent (build/release agent), in an untrusted domain, follow the below steps.

1. Create local user in TFS App Tier machine say rmshadowagent

image

2. Navigate to TFS control panel using http://yourtfs:8080/tfs/_admin/_AgentPool and create a new agent pool. Then download the agent.zip file and keep it, to copy over to the target agent machine.image

3. Select the agent pool and click on Roles. Add the local user (rmshadowagent)created in TFS App Tier to the “Agent Pool Administrators” role, by clicking Add and then “Add Windows user or group”.image

image

4. Add the same user to “Agent Pool Services Accounts” role for the selected pool.image

5. Copy over the agent.zip downloaded to the untrusted domain machine (agent machine). This machine should have access to you tfs url. This can be achieved via exposing your TFS via www. Then a machine with internet connection having access to TFS url can be an agent. Create folder for your agent. Example – C:\DeployAgent\Web, and extract agent.zip to it.image

image

image

6. Create a working folder in agent machine for the agent.image

7. In agent machine, if there is any credential remembered in the control panel for the TFS url, remove them. This is to make sure that you can provide credentials when configuring the agent.image

image

image

8. In the agent machine create a user with the same user name say “rmshadowagent” and with the same password, you created in the TFS App Tier. (Add this user to Administrators group in agent machine to allow to perform any activity in the machine as a deployment agent).image

image

9. Run a command prompt as administrator in the agent machine and change the directory to extracted agent folder. Then execute ConfigureAgent.cmd and provide the parameters to configure.

  • Name for the agent
  • TFS url – https://yourtfs/tfs
  • Agent pool name
  • Agent working directory path
  • Install agent as service – y
  • Instead of Network Service for the service user – provide .\rmshadowagent
  • Provide the password for the rmshadowagent

image

10. Once click ok it gives below error. But the agent is configured and available to use in pool.

TF14045: The identity with type 'System.Security.Principal.WindowsIdentity' and
identifier 'S-1-5-21-1292816864-2021176197-253083057-1013' could not be found.

image

image

With this agent in untrusted domain build output gets downloaded, successfully confirming agent is running fine.image

image

2 comments:

Cronje van Heerden said...

Thanks for posting this. I was perplexed at how the web-based Release Management was going to work until it clicked that the Build and Deployment agent functionality has been unified.

The agent I tried to install on my workstation connected as expected after following the posted steps, but the agent marked "red" instead of "green" in the TFS Agent pool.

The local agent logs show the following message " System.Net.Sockets.SocketException: A connection attempt failed ... " which I suspect may be related to accessing the TFS instance over a DirectAccess VPN.

Chaminda Chandrasekara said...

Hi Sorry for delayed reply... Make sure too add the shadowuser to administrators group and then reconfigure the agent. This should take the agent to green.