How to resolve Tee clc authorization error

Question

I am trying to run tf wrokspaces command for my existing workspace, so I can use it in jetbrains rider as suggested below Jetbrains Rider Article

When I run the command I always get below error,

"TF31003: Either you have not entered the necessary credentials or your user account does not have permission to connect to the Team Foundation Server at https://tfs.app.visualstudio.com/. Ask your server administrator to add the appropriate permissions to your account.

TF400813: The user 'Windows Live ID\xxxxxxxxxx' is not authorized to access this resource.
com.microsoft.tfs.core.exceptions.TFSAccessException: You do not have permission to access the server."

I have all the necessary permission(i.e. Administrator) on tfs server to run tf workspaces command. 

In the log file of tee clc,

"2020-09-10 16:14:13,252 INFO  [main] (com.microsoft.tfs.core.telemetry.TfsTelemetryHelper) Command Line Client v.14.134.0.201804261732
2020-09-10 16:14:13,252 INFO  [main] (com.microsoft.tfs.core.telemetry.TfsTelemetryHelper) AppInsights telemetry initialized
2020-09-10 16:14:13,252 INFO  [main] (com.microsoft.tfs.core.telemetry.TfsTelemetryHelper)     Developer Mode: false
2020-09-10 16:14:13,252 INFO  [main] (com.microsoft.tfs.core.telemetry.TfsTelemetryHelper)     Production Environment: true
2020-09-10 16:14:13,425 INFO  [main] (com.microsoft.alm.provider.UserPasswordCredentialProvider) Getting credential that works for uri: https://xxxxx.visualstudio.com/
2020-09-10 16:14:13,425 INFO  [main] (com.microsoft.alm.provider.UserPasswordCredentialProvider) Getting credential based on OAuth2 token
2020-09-10 16:14:13,426 INFO  [main] (com.microsoft.alm.auth.oauth.OAuth2Authenticator) Ready to launch browser flow to retrieve oauth2 token.
2020-09-10 16:14:13,426 INFO  [main] (com.microsoft.alm.auth.oauth.OAuth2Authenticator) Attempt to use oauth2-useragent provider: JavaFx
2020-09-10 16:14:13,427 INFO  [main] (com.microsoft.alm.auth.oauth.OAuth2Authenticator) Using oauth2-useragent providers to retrieve AAD token.
2020-09-10 16:14:52,003 INFO  [main] (com.microsoft.alm.provider.UserPasswordCredentialProvider) Username exist? true, password exists? true
2020-09-10 16:14:52,089 INFO  [main] (com.microsoft.tfs.core.config.httpclient.DefaultHTTPClientFactory) HttpClient configured for https://xxxxxx.visualstudio.com/, authenticating as OAuth2
2020-09-10 16:14:53,186 WARN  [main] (com.microsoft.tfs.core.httpclient.HttpMethodDirector) Unable to respond to any of these challenges: {bearer=Bearer authorization_uri=https://login.microsoftonline.com/12fb99fd-4c12-44fb-b3ce-a12ca5aadf63, tfs-federated=TFS-Federated}
2020-09-10 16:14:53,929 WARN  [main] (com.microsoft.tfs.core.TFSTeamProjectCollection) Error getting data provider
com.microsoft.tfs.core.exceptions.TFSAccessException: You do not have permission to access the server.

TF31003: Either you have not entered the necessary credentials or your user account does not have permission to connect to the Team Foundation Server at https://tfs.app.visualstudio.com/. Ask your server administrator to add the appropriate permissions to your account.

TF400813: The user 'Windows Live ID\xxxxx' is not authorized to access this resource.
    at com.microsoft.tfs.core.exceptions.mappers.TECoreExceptionMapper.map(TECoreExceptionMapper.java:84)
    at com.microsoft.tfs.core.exceptions.mappers.RegistrationExceptionMapper.map(RegistrationExceptionMapper.java:18)
    at com.microsoft.tfs.core.clients.registration.RegistrationData.newFromServer(RegistrationData.java:61)
    at com.microsoft.tfs.core.clients.registration.RegistrationClient.getRegistrationData(RegistrationClient.java:617)
    at com.microsoft.tfs.core.clients.registration.RegistrationClient.getRegistrationEntries(RegistrationClient.java:144)
    at com.microsoft.tfs.core.clients.registration.RegistrationClient.getRegistrationEntries(RegistrationClient.java:129)
    at com.microsoft.tfs.core.PreFrameworkServerDataProvider.findServiceLocation(PreFrameworkServerDataProvider.java:275)
    at com.microsoft.tfs.core.PreFrameworkServerDataProvider.locationForCurrentConnection(PreFrameworkServerDataProvider.java:251)
    at com.microsoft.tfs.core.TFSTeamProjectCollection.getServerDataProvider(TFSTeamProjectCollection.java:172)
    at com.microsoft.tfs.core.TFSConnection.getWebService(TFSConnection.java:903)
    at com.microsoft.tfs.core.config.client.DefaultClientFactory$7.newClient(DefaultClientFactory.java:208)
    at com.microsoft.tfs.core.config.client.DefaultClientFactory.newClient(DefaultClientFactory.java:86)
    at com.microsoft.tfs.core.TFSConnection.getClient(TFSConnection.java:1490)
    at com.microsoft.tfs.core.TFSTeamProjectCollection.getVersionControlClient(TFSTeamProjectCollection.java:376)
    at com.microsoft.tfs.client.clc.vc.commands.CommandWorkspaces.displayAndUpdate(CommandWorkspaces.java:295)
    at com.microsoft.tfs.client.clc.vc.commands.CommandWorkspaces.run(CommandWorkspaces.java:93)
    at com.microsoft.tfs.client.clc.Application.run(Application.java:306)
    at com.microsoft.tfs.client.clc.Application.run(Application.java:154)
    at com.microsoft.tfs.client.clc.vc.Main.main(Main.java:55)
2020-09-10 16:14:53,932 ERROR [main] (com.microsoft.tfs.client.clc.Application) An error occurred: You do not have permission to access the server.

TF31003: Either you have not entered the necessary credentials or your user account does not have permission to connect to the Team Foundation Server at https://tfs.app.visualstudio.com/. Ask your server administrator to add the appropriate permissions to your account.

TF400813: The user 'Windows Live ID\xxxxxxxx' is not authorized to access this resource.
com.microsoft.tfs.core.exceptions.TFSAccessException: You do not have permission to access the server.

TF31003: Either you have not entered the necessary credentials or your user account does not have permission to connect to the Team Foundation Server at https://tfs.app.visualstudio.com/. Ask your server administrator to add the appropriate permissions to your account.

TF400813: The user 'Windows Live ID\xxxxxxxx' is not authorized to access this resource.
    at com.microsoft.tfs.core.exceptions.mappers.TECoreExceptionMapper.map(TECoreExceptionMapper.java:84)
    at com.microsoft.tfs.core.exceptions.mappers.RegistrationExceptionMapper.map(RegistrationExceptionMapper.java:18)
    at com.microsoft.tfs.core.clients.registration.RegistrationData.newFromServer(RegistrationData.java:61)
    at com.microsoft.tfs.core.clients.registration.RegistrationClient.getRegistrationData(RegistrationClient.java:617)
    at com.microsoft.tfs.core.clients.registration.RegistrationClient.getRegistrationEntries(RegistrationClient.java:144)
    at com.microsoft.tfs.core.clients.registration.RegistrationClient.getRegistrationEntries(RegistrationClient.java:129)
    at com.microsoft.tfs.core.PreFrameworkServerDataProvider.findServiceLocation(PreFrameworkServerDataProvider.java:275)
    at com.microsoft.tfs.core.PreFrameworkServerDataProvider.locationForCurrentConnection(PreFrameworkServerDataProvider.java:251)
    at com.microsoft.tfs.core.TFSTeamProjectCollection.getServerDataProvider(TFSTeamProjectCollection.java:172)
    at com.microsoft.tfs.core.TFSConnection.getWebService(TFSConnection.java:903)
    at com.microsoft.tfs.core.config.client.DefaultClientFactory$7.newClient(DefaultClientFactory.java:208)
    at com.microsoft.tfs.core.config.client.DefaultClientFactory.newClient(DefaultClientFactory.java:86)
    at com.microsoft.tfs.core.TFSConnection.getClient(TFSConnection.java:1490)
    at com.microsoft.tfs.core.TFSTeamProjectCollection.getVersionControlClient(TFSTeamProjectCollection.java:376)
    at com.microsoft.tfs.client.clc.vc.commands.CommandWorkspaces.displayAndUpdate(CommandWorkspaces.java:295)
    at com.microsoft.tfs.client.clc.vc.commands.CommandWorkspaces.run(CommandWorkspaces.java:93)
    at com.microsoft.tfs.client.clc.Application.run(Application.java:306)
    at com.microsoft.tfs.client.clc.Application.run(Application.java:154)
    at com.microsoft.tfs.client.clc.vc.Main.main(Main.java:55)
2020-09-10 16:14:53,933 INFO  [main] (com.microsoft.tfs.client.clc.vc.Main) Shutting down
2020-09-10 16:14:53,934 INFO  [main] (com.microsoft.tfs.client.clc.vc.Main) Has shut down"

To verify the tee clc is installed and working properly, I created the new organization and run the same workspaces command. It works well with new organization. Also from visual studio I am able to use my existing workspace without any problem.

Can you please help how to resolve the authorization problem?

Thanks!

score 0 · Accepted Answer · answered Sep 11 '20 at 06:34

0

To narrow down the issue, please check the following items:

Check the whether your organization backed in AAD, the login account is Windows Live ID\xxxxx or AAD\xxxxx.
Close all Visual Studio instances, delete %LOCALAPPDATA%\.IdentityService, and clear DevOps caches %LOCALAPPDATA%\Microsoft\Team Foundation\x.0\Cache.
Create a new workspace for this organization/Project to see how's the result.

answered Sep 11 '20 at 06:34

Cece Dong - MSFT

29,631
1
24
39

I tried option number 2 and 3, and result are same. I checked login account is AAD\xxxxx as it shows on AAD/Member. The thing is my windows live id is registered in organization AAD member. How can I force tee clc to take my windows live id as AAD/member and does not take as windows Live ID \xxxxx ? – Namit Shah Sep 13 '20 at 17:17
Try the following items: 1. Close all browsers, including browsers that aren't running Azure DevOps. 2. Open a private or incognito browsing session. 3. Go to this URL: https://aka.ms/vssignout. You see a message that says, "Sign out in progress." After you sign out, you're redirected to the Azure DevOps @dev.azure.microsoft.com webpage. 4. Sign in to Azure DevOps again. Select your other identity. – Cece Dong - MSFT Sep 14 '20 at 02:05
I followed your steps, still results are same. I am still not able to execute workspaces command. Any other suggestion ? How can I found the actual problem? Is there anyway I can help you to diagnostic this problem ? – Namit Shah Sep 14 '20 at 05:34
Can you share your command? Do you use OAuth token to access the DevOps? Please use OAuth token to run the command below: `tf workspaces /collection:https://dev.azure.com/xxx /loginType:OAuth /login:.,***`. – Cece Dong - MSFT Sep 14 '20 at 05:51
Yes Sure. I am executing command : "tf.cmd workspaces -collection:https://xxxx.visualstudio.com" after that browser window will open to ask username and then password. On the browser window I can see it using OAuth2 as authentication type. After that browser window closed automatically and I get error. Also you can see in the tee clc log I posted in question it clearly says Oauth2 authentication is used and successful. Also in workspaces command there is no /LoginType switch available. – Namit Shah Sep 14 '20 at 06:14
I'm not able to reproduce your issue on my side, do you use the latest TEE 14.134.0 (github.com/Microsoft/team-explorer-everywhere/releases)? In addition, you mentioned it worked in the new organization you created, do you use Windows Live ID or AAD account? Could you try with other account in the old organization to see whether it can connect to DevOps? And try running the command from other client machine to see whether you can reproduce this issue. – Cece Dong - MSFT Sep 14 '20 at 08:00
At last I am able to produce the same problem in my new organization. Looks like problem is started when windows live id connected to organization active directory. At that time tee clc does not able to differentiate that its windows live Id or AAD login. Tee clc go for windows live id and finds out user is not authorized and displayed above error. let me know are you able to reproduce the error ? and any work around for this problem ? – Namit Shah Sep 17 '20 at 05:01
What's the meaning of "windows live id connected to organization active directory"? You may create an AAD account, and use this account to connect DevOps when run TEE command line. – Cece Dong - MSFT Sep 17 '20 at 06:39
"windows live id connected to organization active directory"? Meaning is Existing windows live id added in organizations active directory. As I understand from this link https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/faq-azure-access?view=azure-devops#q-why-do-i-have-to-choose-between-a-work-or-school-account-and-my-personal-account my personal account and organization account both have same name but different set of permissions and identities. so tee clc not able to differentiate and go for personal account and don't find access. Please correct it if I am wrong. – Namit Shah Sep 18 '20 at 05:19
Yes, I agree with you. So I suggest you create an AAD account, and use this account to connect DevOps when run TEE command line. – Cece Dong - MSFT Sep 18 '20 at 05:50
sorry for late reply, Yes It did resolved the problem. Thanks for all your help. Appreciated. – Namit Shah Sep 28 '20 at 17:09

How to resolve Tee clc authorization error

1 Answers1