Security Problem with Accessing Work Items

Security Problem with Accessing Work Items

• kalprin

  What I mean here is that [MyProject]\Developers should be in some group which has the Edit permission denied. The group might be bigger than [MyProject]\All. For example, maybe some group for the whole server.

  The Administrator group has the Edit permission, which means any groups it is in must have no deny. So you don't need to check them.

  Hope I explain it clear this time.

  Thanks.

  
  
  

• MehrdadDotNetOK

  I think I would check permissions with a free tool called TFS Permissions manager which is pretty straigthforward to use, here you have more info about that http://blogs.microsoft.co.il/files/folders/leon/entry5018.aspx and it will be easier than command line tools
  
  

• Shilei

  I've found only two combinations of Event ID and TFS error code among the warnings and errors of "Work Item Tracking" source. The first one, with Event ID = 3000, and TFS error code TF53010, looks like this:

  Event Viewer wrote:

  Event Type: Error Event Source: TFS WorkItem Tracking Event Category: None Event ID: 3000 Date: 11/28/2006 Time: 6:58:27 PM User: N/A Computer: MyTFServer Description: TF53010: An unexpected condition has occurred in a Team Foundation component. The information contained here should be made available to your site administrative staff. Technical Information (for the administrative staff): Date (UTC): 11/28/2006 3:58:27 PM Machine: MyTFServer Application Domain: /LM/W3SVC/3/Root/WorkItemTracking-1-128091788309821250 Assembly: Microsoft.TeamFoundation.WorkItemTracking.Server.DataServices, Version=8.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a; v2.0.50727 Process Details: Process Name: w3wp Process Id: 8780 Thread Id: 9500 Account name: MyDomain\User1 Detailed Message: TF51334: An unknown Web service error occurred: The remote host closed the connection. The error code is 0x80072746.. Check the Event Log for more information. Web Request Details Url: http://MyTFServer:8080/WorkItemTracking/v1.0/AttachFileHandler.ashx FileID=3610&FileName=Universal Management Console.vsd [method: GET] User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.03; WinFX RunTime 3.0.50727) Headers: Connection=Keep-Alive&Accept=*%2f*&Accept-Encoding=gzip%2c+deflate&Host=MyTFServer%3a8080&User-Agent=Mozilla%2f4.0+(compatible%3b+MSIE+6.0%3b+Windows+NT+5.1%3b+SV1%3b+.NET+CLR+1.1.4322%3b+.NET+CLR+2.0.50727%3b+.NET+CLR+3.0.04506.30%3b+.NET+CLR+3.0.04506.03%3b+WinFX+RunTime+3.0.50727) Path: /WorkItemTracking/v1.0/AttachFileHandler.ashx Local Request: False Host Address: 192.168.128.44 User: MyDomain\User1 [authentication type: NTLM] Exception Message: The remote host closed the connection. The error code is 0x80072746. (type HttpException) Exception Stack Trace: at System.Web.Hosting.ISAPIWorkerRequestInProcForIIS6.FlushCore(Byte[] status, Byte[] header, Int32 keepConnected, Int32 totalBodySize, Int32 numBodyFragments, IntPtr[] bodyFragments, Int32[] bodyFragmentLengths, Int32 doneWithSession, Int32 finalStatus, Boolean& async) at System.Web.Hosting.ISAPIWorkerRequest.FlushCachedResponse(Boolean isFinal) at System.Web.Hosting.ISAPIWorkerRequest.FlushResponse(Boolean finalFlush) at System.Web.HttpResponse.Flush(Boolean finalFlush) at System.Web.HttpWriter.WriteFromStream(Byte[] data, Int32 offset, Int32 size) at System.Web.HttpResponseStream.Write(Byte[] buffer, Int32 offset, Int32 count) at Microsoft.TeamFoundation.WorkItemTracking.Server.DalGetFileAttachment.JoinBatchGetFileAttachment(HttpResponse response, Byte[] pointer, Int32 fileLength) at Microsoft.TeamFoundation.WorkItemTracking.Server.DataAccessLayerImpl.GetAndSendFileAttachment(String attachmentServerName, String attachmentDatabaseName, HttpResponse response, String fileGuid) at Microsoft.TeamFoundation.WorkItemTracking.Server.AttachmentDownloadHandler.ProcessRequest(HttpContext context)

  The second one, with Event ID = 3056, and TFS error code TF53010, looks like this:

  Event Viewer wrote:

  Event Type: Error Event Source: TFS WorkItem Tracking Event Category: None Event ID: 3056 Date: 12/12/2006 Time: 12:25:44 PM User: N/A Computer: MyTFServer Description: TF53010: An unexpected condition has occurred in a Team Foundation component. The information contained here should be made available to your site administrative staff. Technical Information (for the administrative staff): Date (UTC): 12/12/2006 9:25:44 AM Machine: MyTFServer Application Domain: /LM/W3SVC/3/Root/WorkItemTracking-1-128103891281718750 Assembly: Microsoft.TeamFoundation.WorkItemTracking.Server.DataServices, Version=8.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a; v2.0.50727 Process Details: Process Name: w3wp Process Id: 6624 Thread Id: 6716 Account name: MyDomain\User2 Detailed Message: LookupRule: Could not find user for the SID. Exception Message: LookupRule: Could not find user for the SID. (type ValidationException) Exception Stack Trace: at Microsoft.TeamFoundation.WorkItemTracking.Server.SqlAccess.HandleDalError(Exception e) at Microsoft.TeamFoundation.WorkItemTracking.Server.SqlAccess.ExecuteBatchPayloadImpl(IRequestContext context, String sqlBatch, List`1 parameterList, Boolean& errorOnBulkUpdate, String connectionString) at Microsoft.TeamFoundation.WorkItemTracking.Server.SqlBatchBuilder.ExecuteBatchInternal(IRequestContext context, Boolean passInConnectionInfo, String server, String database) at Microsoft.TeamFoundation.WorkItemTracking.Server.DataAccessLayerImpl.UpdateImpl(String serverName, String databaseName, String attachmentServer, String attachmentDatabase, XmlElement updateElement, MetadataTable[] tablesRequested, Int64[] rowVersions, Payload metadataPayload, Boolean bisNotification, String& dbStamp, Boolean bulkUpdate, Boolean& bulkUpdateSuccess, String userSid) at Microsoft.TeamFoundation.WorkItemTracking.Server.DataAccessLayerImpl.Update(String serverName, String databaseName, String attachmentServer, String attachmentDatabase, XmlElement updateElement, MetadataTable[] tablesRequested, Int64[] rowVersions, Payload metadataPayload, Boolean bisNotification, String& dbStamp, String userSid) at Microsoft.TeamFoundation.WorkItemTracking.Server.ProcessSecurityEventMessage.ExecuteBatch(String updateXml) at Microsoft.TeamFoundation.WorkItemTracking.Server.ProcessSecurityEventMessage.Process() at Microsoft.TeamFoundation.WorkItemTracking.Server.SecurityEventMessage.Process() at Microsoft.TeamFoundation.WorkItemTracking.Server.EventMessageHandler.ProcessSecurity(Int32 seqId) at Microsoft.TeamFoundation.WorkItemTracking.Server.EventMessageHandler.ProcessSecurityEvent() Inner Exception Details: Exception Message: LookupRule: Could not find user for the SID. (type SqlException) SQL Exception Class: 11 SQL Exception Number: 600152 SQL Exception Procedure: LookupRule SQL Exception Line Number: 168 SQL Exception Server: MyTFServer SQL Exception State: 1 SQL Error(s): Exception Data Dictionary: HelpLink.ProdName = Microsoft SQL Server HelpLink.ProdVer = 09.00.2047 HelpLink.EvtSrc = MSSQLServer HelpLink.EvtID = 600152 HelpLink.BaseHelpUrl = http://go.microsoft.com/fwlink HelpLink.LinkId = 20476 Exception Stack Trace: at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection) at System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection) at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj) at System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj) at System.Data.SqlClient.SqlDataReader.HasMoreResults() at System.Data.SqlClient.SqlDataReader.NextResult() at Microsoft.TeamFoundation.WorkItemTracking.Server.PayloadTableCollection.Populate(SqlDataReader reader) at Microsoft.TeamFoundation.WorkItemTracking.Server.SqlAccess.ExecuteBatchPayloadImpl(IRequestContext context, String sqlBatch, List`1 parameterList, Boolean& errorOnBulkUpdate, String connectionString)

  What else should I do Thank you.

  
  

• captainsina

  JYL> You can check any ancestral groups of [MyProject]\Developers to see if any of them has the permissions denied.

  As it was mentioned in my original message, the groups'n'users hierarchy for my case is: [MyProject]\All includes [MyProject]\Developers includes MyDomain\John. The two groups both have "Edit project-level information" and "View project-level information" permissions allowed, and nothing denied on the project level. Besides, [MyProject]\All group has all the permissions ("Create and order child nodes", "Delete this node", "Edit this node", "Edit work items in this node", "View this node" and "View workitems in this node") allowed, and nothing denied on the only area level. What else should I check

  JYL> ...You can ignore the common ancestral groups of the two.

  Sorry I didn't understand this recommendation, please, paraphrase it.

  JYL> You can click "Run Query" button, which looks like a form with a green triagle. The result will be refreshed.

  Thanks, it worked!

  
  

• Billr17

  Thanks, Matt, your answer was the most informative and, I hope, the first real step to the solution of my problem.

  C:\...\Tools>TFSSecurity.exe /imx MyDomain\John /server:MyTFServer

  shows the following:

  TFSSecurity - Team Foundation Server Security Tool
  (C) Copyright 2006 Microsoft Corporation. All rights reserved.
  
  The target Team Foundation Server is MyTFServer.
  Resolving identity "MyDomain\John"...
  
  SID: S-1-5-21-2836816441-104769503-548545894-1781
  
  DN: CN=John,OU=Development,OU=MyCompany,DC=MyDomain,DC=MyCompany,DC=com
  
  Identity type: Windows user
  Logon name: MyDomain\John
  Display name: John
  
  Member of 3 group(s):
  e [SERVER]\Team Foundation Valid Users
  [MyProject]\All
  [MyProject]\Testers
  
  Done.

  So, as far as I see, everything is OK here.

  MH> The next thing to do is to check in the App Tier event log to see if there are any errors.

   

  I'm not sure what exact log should I check but there're some warnings and errors in MyTFServer > Administrative Tools > Event Viewer > Application, from the following sources: TFS, TFS Services, TFS Warehouse, and TFS WorkItem Tracking. Should I check something specifically

   

  MH> The final thing to check is the database itself.

   

  Well, the queries you've specified return the following values:

   

  GSSMaxIdenditySeqId = 1579
  WITMaxIdentitySeqId = 1579

  ---------------------------------------
  GSSMaxNodeSeqId = 374
  WITMaxNodeSeqId = 361

  ------------------------------------
  GSSMaxAclSeqId = 3529
  GSSMaxAclSeqId = 3519
  WITMaxAclSeqId = 3271
  

  If I understand right, I have some problems with the synchronization process... How can I fix this

   

  Morevover, I had one more thread, http://forums.microsoft.com/msdn/showpost.aspx postid=943697, where my last question, "is there a way to refresh the security cache manually " (or "is there a way to force the security synchronization process ") still remains unanswered, and now it seems both problems have the same cause, and possibly the same solution ..

   

  Thanks in advance for everything.

  
  

• CarlaC

  Well, let's see what these commands return...

  C:\...\Tools>TFSSecurity.exe /i MyDomain\John /server:MyTFServer
  TFSSecurity - Team Foundation Server Security Tool
  (C) Copyright 2006 Microsoft Corporation. All rights reserved.
  The target Team Foundation Server is MyTFServer.
  Resolving identity "MyDomain\John"...
  SID: S-1-5-21-2836816441-104769503-548545894-1781
  DN: CN=John,OU=Development,OU=MyCompany,DC=MyDomain,DC=MyCompany,DC=com
  Identity type: Windows user
  Logon name: MyDomain\John
  Display name: John
  Done.

  So, as far as I see, everything is OK here... Let's see further...

  C:\...\Tools>TFSSecurity.exe /acl MyDomain\John /server:MyTFServer
  TFSSecurity - Team Foundation Server Security Tool
  (C) Copyright 2006 Microsoft Corporation. All rights reserved.
  The target Team Foundation Server is MyTFServer.
  Retrieving the access control list for object "MyDomain\John"...
  Error: TF50608: Unable to retrieve information for security object MyDomain\John, it does not exist.

  Oops!.. Here it is! Something is wrong here, isn't it Can you explain this Why doesn't the security object MyDomain\John exist, if is a member of [MyProject]\Developers which is a member of [MyProject]\All, with all the required access rights, as it was described earlier What should I do next Please help! Thank you in advance!

  P.S. TFSSecurity.exe /acl for the mentioned project groups [MyProject]\Developers and [MyProject]\All also returns the same error... Why ..

  
  

• Matt354245

  Well, I've just checked permissions with the mentioned tool and... learned nothing new. My project groups, [MyProject]\All and [MyProject]\Developers both have "View project-level information" and "Edit project-level information" permissions allowed, and nothing denied. However, MyDomain\John cannot do anything in the project... Is there anybody who can help me Who can tell me what should I check next to fix the problem Making MyDomain\John a project administrator works fine but it isn't a good decision, right
  

• Henny

  [MyProject]\Developers group is a member of only two groups [MyProject]\All (nothing is denied for it) and [Server]\Team Foundation Valid Users (again, nothing is denied for it, too, as a similar project on the server works fine). What should I check next Any ideas about the reasons Thanks.
  

• tt2lhp

  It does indeed look like this is a problem with the sync process between Work Item Tracking and GSS. You are looking at the correct part of the event log (Application). The most interesting errors and warnings will be from the TFS Work Item Tracking and TFS Services sources. If you double click on an entry, it will bring up a dialog with details about the entry. On the upper right side of the dialog, below the up and down arrows, is a button that will copy the entry to the clipboard. Could you please copy one instance of each error with a different event number and post it

  Hopefully this will help us track down where exactly the error is occurring.

  Matt Hoover

  Software Design Engineer

  Visual Studio Team Foundation

  
  

• Raju Sreenivasan

  Stansilav,

  Sorry for your problems here. I'm going to get someone from the dev team to try and help you.

  Thanks,

  
  
  

• rwilson06

  That second error message has significantly narrowed down the possibilities. Do any of these queries return non-zero results

  If so, change the "select count(*) as ..." lines to "select *", and please send me the results via email. Once I know the properties of the accounts causing problems, I can give you the next step.

  thanks,

  Sam Heald - MSFT

  select count(*) as MissingIdentitiesFromADObjects
  from TfsIntegration..tbl_security_identity_cache
  where sid not in
  (
   select ObjectSID
   from TfsWorkitemTracking..ADObjects
  )
   
  select count(*) as MissingIdentitiesFromConstants
  from TfsIntegration..tbl_security_identity_cache
  where sid not in
  (
   select SID from TfsWorkitemTracking..Constants
  ) 
  select count(*) MissingADObjectsFromConstants
  from TfsWorkItemTracking..ADObjects
  where ObjectSID not in
  (
    select SID from TfsWorkitemTracking..Constants
  )
   
  select count(*) as MissingIdentitiesFromConstantsWithACLs
  from TfsIntegration..tbl_security_identity_cache id
  join TfsIntegration..tbl_security_acls acls
  on id.sid = acls.sid
  and acls.sequence_id > 3271
  and acls.action_id like '%WORK_ITEM%'
  and acls.deleted = 0
  where id.sid not in
  (
    select SID from TfsWorkitemTracking..Constants
  )
   
  select count(*) as DeletedIdentitiesWithACLs
  from TfsIntegration..tbl_security_identity_cache id
  join TfsIntegration..tbl_security_acls acls
  on id.sid = acls.sid
  and acls.sequence_id > 3271
  and acls.action_id like '%WORK_ITEM%'
  and acls.deleted = 0
  where id.sid not in
  (
    select SID from TfsWorkitemTracking..Constants
  )
  and id.deleted = 1

  
  
  

• Postman001

  You could also trying running TFSSecurity (an admin command line tool to see the group memberships and effective permissions for an identity).

  TFSSecurity /i domain\user /server:<servername> will give you generic information about the domain\user identity, while

  TFSSecurity /acl domain\user /server:<servername> will give you the effective access control list for the identity.

  TFSSecurity can be found on the AT server. Please see http://msdn2.microsoft.com/en-us/library/ms252504(VS.80).aspx for more details. This may help you identify the issue.

  Hope this helps,

  
  
  

• Lee John

  You can check any ancestral groups of [MyProject]\Developers to see if any of them has the permissions denied. Given the fact that project administrator doesn't have the same issue, you can ignore the commond ancestral groups of the two.

  For the second question, you can click "Run Query" button, which looks like a form with a green triagle. The result will be refreshed.

  
  
  

• KRISTER

  I can see two possible causes for this problem. The first is that work item tracking is not being correctly synced to the security system. The second is that the work item tracking system is not correctly evaluating permissions. It is most likely that the problem is the security system to work item tracking sync.

  Please try running:

  TFSSecurity.exe /imx MyDomain\John /server:MyTFServer

  This version of the command will also display all of the groups that MyDomain\John is a member of. This will verify what groups MyDomain\John is a member of, so that we can verify that he should be getting the permissions assigned to groups.

  The next thing to do is to check in the App Tier event log to see if there are any errors. This is to make sure that the Work Item Tracking system has synced the group information for the security system.

  The final thing to check is the database itself. If you open a query window in SQL management console against your data tier, and run the following select statements:

  select next_id - 1 as GSSMaxIdenditySeqId from TFSIntegration..tbl_sequence_ids where name = 'identity_cache'

  select max(seqid) as WITMaxIdentitySeqId from TFSWorkItemTracking..ADObjects

  select next_id - 1 as GSSMaxNodeSeqId from TFSIntegration..tbl_sequence_ids where name = 'css_node'

  select max(seqid) as WITMaxNodeSeqId from TFSWorkItemTracking..TreeNodes

  select next_id - 1 as GSSMaxAclSeqId from TFSIntegration..tbl_sequence_ids where name = 'acl'

  select max(sequence_id) as GSSMaxAclSeqId from TfsIntegration..tbl_security_acls where action_id like '%WORK_ITEM%'

  select max(seqid) as WITMaxAclSeqId from TfsWorkItemTracking..Rules

  If sync is working correctly, the GSS and WIT sequence ids should match.

  --Matt Hoover

  Visual Studio Team Foundation

  Software Design Engineer

  
  
• Security Problem with Accessing Work Items