I’m trying to setup TFS Lab Management on a new server and I ran into a really weird issue trying to configure it that I figured I’d share the solution to in case anybody else encountered it.
This was a brand new machine, I installed Windows Server 2008 R2, all the Windows Updates, joined the machine to the domain, then started running through the Lab Management Install Guide: Configuring Lab Management for the First Time
I had a previously created Domain Account called TFSLAB created specifically to be used by Lab Management. I logged into the server as this account and installed Hyper-V, SCVMM Server, and SCVMM Admin Console. I setup SCVMM to use TFSLAB as it’s service account. At this point everything looked OK.
I remoted into my TFS Server, installed SCVMM Admin Console and fired up TFS Admin Console to try and configure Lab Management (logged in as my own personal domain account which is a TFS Admin, local admin on both the TFS box and the SCVMM box, and I had made a SCVMM admin). This is where problems started to occur.
In the Lab Management Config Wizard (launched from TFS Admin) I enter the machine name of our SCVMM machine and click the handy Test button. What I expect to happen here is it will connect to SCVMM and add the TFS Service Account (in this case a domain account called TFSSERVICE) as a SCVMM Admin. I get prompted for credentials which have SCVMM Admin rights, which is a little strange as I’m logged in as my domain account which is already a SCVMM admin. I try entering the TFSLAB credentials and it just keeps prompting me over and over for credentials. When I eventually hit Cancel to put a stop to that madness it shows an error and won’t let me continue with the Configuration Wizard:
“TF260078: Team Foundation Server could not connect to the System Center Virtual Machine Manager Server: lab.mydomain.local. More information for administrator: You cannot contact the Virtual Machine Manager server. The credentials provided have insufficient privileges on lab.mydomain.local. (Error ID: 1605)”
After some investigation I discovered that I can’t launch the SCVMM Admin Console under any user account other than TFSLAB (regardless of whether I’m trying to do it directly on the SCVMM server or elsewhere). It gives me an error about insufficient privileges:
“You cannot contact the Virtual Machine Manager server. The credentials provided have insufficient privileges on localhost. Ensure that your account has access to the Virtual Machine Manager server localhost, and then try the operation again. ID: 1605”
At this point I was confused as heck, as my user account was clearly a SCVMM admin and I couldn’t figure out what was going on. I figured I’d probably screwed something up during the install so wiped the SCVMM server, and started from scratch. A day later and I ended up in the exact same spot, so it ruled out any obvious stupidity on my part.
After working with Microsoft support, and manually examining network trace logs, we discovered that the SCVMM server (running under its Service Account: TFSLAB) is requesting a specific permission from Active Directory and getting denied. We found a relevant KB article: KDC_ERR_C_PRINCIPAL_UNKNOWN Returned in S4U2Self Request
Don’t ask me what exactly is going on here, because we’re getting into low-level stuff that is over my head. But my understanding is that the SCVMM Service Account (TFSLAB) is trying to do something as a different account (DSMITH, the account I’m trying to login to SCVMM Admin Console as) and AD isn’t allowing it do something on behalf of the other user account.
The resolution suggested in that KB article ended up resolving my issues, we had to get a Domain Admin to add the TFSLAB account to the Windows Authorization Access Group. Restarted the service, and now I can login to the SCVMM Admin Console as any user that has been setup as a SCVMM Admin, and the TFS Lab Management Configuration Wizard works properly.
Summary: Your SCVMM Service Account needs to be added to the Windows Authorization Access Group in Active Directory by a Domain Admin.