Users with on prem TFS 2015 get a TFS.Core.AjaxException: Unauthorized

[sedarby15]

When users for a project in the project collection I have the extension installed on try to access Active Pull Requests they get the following:  Ajax request failed with status: Unauthorized.  TFS.Core.Ajax.AjaxException: Ajax request failed with status: Unauthorized.  at st (http://tfs.cbre.com:8080/tfs/_static/tfs/Dev14.M102/_scripts/TFS/min/TfsPresentationCoreJs?v=7tQ5nGOZDx0K-CFDzzUf8IXp0yuRpEAHLZhc5qVTYQE1:22:5213)  at http://tfs.cbre.com:8080/tfs/_static/tfs/Dev14.M102/_scripts/TFS/min/TfsPresentationCoreJs?v=7tQ5nGOZDx0K-CFDzzUf8IXp0yuRpEAHLZhc5qVTYQE1:22:1652  at nt (http://tfs.cbre.com:8080/tfs/_static/tfs/Dev14.M102/_scripts/TFS/min/TfsPresentationCoreJs?v=7tQ5nGOZDx0K-CFDzzUf8IXp0yuRpEAHLZhc5qVTYQE1:22:893)  at Object.error (http://tfs.cbre.com:8080/tfs/_static/tfs/Dev14.M102/_scripts/TFS/min/TfsPresentationCoreJs?v=7tQ5nGOZDx0K-CFDzzUf8IXp0yuRpEAHLZhc5qVTYQE1:22:1263)  at j (http://tfs.cbre.com:8080/tfs/_static/tfs/Dev14.M102/_scripts/TFS/min/basejs:2:26860)  at Object.fireWith as rejectWith  at x (http://tfs.cbre.com:8080/tfs/_static/tfs/Dev14.M102/_scripts/TFS/min/basejs:4:11145) at XMLHttpRequest. (http://tfs.cbre.com:8080/tfs/_static/tfs/Dev14.M102/_scripts/TFS/min/basejs:4:14767) Session Id: 33353f8d-fcb0-4019-9ac1-8994c61cc7a2

Please let us know what we can do to have users allowed to use the extension. I am able to use it but I am a Project Collection Administrator if that makes any difference.

[sierpinski]

Are there any users who are not permitted to see every repository in the project? If a user attempted to use my extension but did not have authority to read the code in every repository that would cause an authentication error.

Maybe I can help you troubleshoot a bit. Which version of TFS are you using (eg., 2015.3)? What permissions does a typical user of the extension have to the project's repositories?

I'm not sure what is causing your error, but hopefully we can figure it out.

[sedarby15]

Hello, our on prem TFS server is running TFS 2015 Update 3. Our users are granted permissions on a per team project basis. I have your extension configured on each of our project collections. The permissions are set to the default for team members and the one user who has raised this problem is a project administrator on his team project. All team projects using this extension are using one project collection but as I said we have extension installed for all of our project collections.

Hope this helps you guide us to a solution.

Thank you,

sedarby15

[sierpinski]

Okay, since the user we know is receiving the unauthorized error is the project administrator, then permissions are our most likely culprit. A couple of ideas: (1) Do you have any way to verify that other users are similarly unauthorized? For example, are you able to test whether a project manager on a different project is similarly facing issues? Also, are team project members also receiving the unauthorized error? Figuring out these questions will help us nail down whether this individual user has permissions issues or if all of the users do. AND (2) I will review my updated url construction and verify I don't make any elevated calls (ie., requiring more permissions than my old technique).

[sedarby15]

This problem affects all users of the project. I am checking to see if he has this problem on any other projects he has access.

Thank you for your assistance,

sedarby15

[sierpinski]

Thanks for the update. Let me know when you learn about other projects. I've checked the new url technique and it isn't the culprit.

[sedarby15]

Okay, thank you.

[sierpinski]

Oh shoot, one more question I forgot to ask, which version of my extension are you using? Some of my older versions had a number of on-premises problems. Current version is 0.9.3.

[sedarby15]

I installed the latest this morning.

[sierpinski]

Ah shoot, well worth a shot! I'm hoping we discover other team projects are working properly and there is simply some setting on the repository permissions or team project that is affecting that team.

[sedarby15]

I will let you know when I can get them to try another project.

[sedarby15]

Okay, I had installed your extension in our test environment and was working well. I even tried installing the same version on our PROD server but they still seem to be having a problem.

Here is the series of error messages they get when they click on Active Pull Requests:

Error(s): § Ajax request failed with status: Unauthorized. § TFS.Core.Ajax.AjaxException: Ajax request failed with status: Unauthorized. § at st (http://tfs.cbre.com:8080/tfs/_static/tfs/Dev14.M102/_scripts/TFS/min/TfsPresentationCoreJs?v=7tQ5nGOZDx0K-CFDzzUf8IXp0yuRpEAHLZhc5qVTYQE1:22:5213) § at http://tfs.cbre.com:8080/tfs/_static/tfs/Dev14.M102/_scripts/TFS/min/TfsPresentationCoreJs?v=7tQ5nGOZDx0K-CFDzzUf8IXp0yuRpEAHLZhc5qVTYQE1:22:1652 § at nt (http://tfs.cbre.com:8080/tfs/_static/tfs/Dev14.M102/_scripts/TFS/min/TfsPresentationCoreJs?v=7tQ5nGOZDx0K-CFDzzUf8IXp0yuRpEAHLZhc5qVTYQE1:22:893) § at Object.error (http://tfs.cbre.com:8080/tfs/_static/tfs/Dev14.M102/_scripts/TFS/min/TfsPresentationCoreJs?v=7tQ5nGOZDx0K-CFDzzUf8IXp0yuRpEAHLZhc5qVTYQE1:22:1263) § at j (http://tfs.cbre.com:8080/tfs/_static/tfs/Dev14.M102/_scripts/TFS/min/basejs:2:26860) § at Object.fireWith as rejectWith § at x (http://tfs.cbre.com:8080/tfs/_static/tfs/Dev14.M102/_scripts/TFS/min/basejs:4:11145) at XMLHttpRequest. (http://tfs.cbre.com:8080/tfs/_static/tfs/Dev14.M102/_scripts/TFS/min/basejs:4:14767) Session Id: 33353f8d-fcb0-4019-9ac1-8994c61cc7a2

BTW, if I try to do the same thing, the extension works well but I am a TFS Administrator with full rights to all repositories.

Hope this is helpful.

[sierpinski]

Okay, I need to think more... if it works for you as an admin, then I am fairly convinced a required permission is missing for the other users, but I don't know which permission it is.

[sedarby15]

One more point, the user who is having the problem is a project administrator for one of the projects. I have TFS Administrator rights and the included Project Collection Administrator rights.

[sierpinski]

Wow, this is a really interesting permissions problem. Is there permissions customization on the project administrator's account or are the permissions default?

[sedarby15]

The permissions are set to default, in other words no restrictions at all.

[sierpinski]

Hmm, there is a similar issue affecting a team with an appliance between TFS and the users. Is it possible you have a hardware constraint? I'm kind of blindly groping for answers, sorry I don't have a grasp on the potential causes.

[sedarby15]

Okay, we do have our TFS app tiers load balanced with a F5 load balance server. I will have them try going direct to the primary TFS server using the FQDN rather than our domain name. Thank you for your efforts. We do appreciate it.

[sedarby15]

Good news. If they use the FQDN with the machine name not our DNS hostname, the extension works. Our F5 server is causing an issue for some reason.

Thank you for your assistance – enjoying using your extension,

[sierpinski]

Thank you for checking this and sending an update! I'm so glad it is working. I will send a request to Microsoft to look into the issue. I'm sorry they are having to type the machine name but happy it is helping you all! I will close the issue here and open one with VSTS.