azure-pipelines-agent: Unable to register agent against on-premise Azure Dev Ops Server: TF400813 Resource not available for anonymous access. Client authentication required.
Problem
I’m trying to install an agent and connect it to an on-premise install of Azure Dev Ops Server. I’ve copied the Powershell script from the settings page and run it on the app server where we need the agent. The script downloads the agent successfully, but when attempting to configure it, we get the following error:
TF400813: Resource not available for anonymous access. Client authentication required.
Failed to connect. Try again or ctrl-c to quit
We’ve tried two different PATs - one for a user with the agent pool administrator role, and one for a user who is the server administrator. The agent pool administrator’s PAT had the “Agent Pools (Read & manage)” and “Deployment Groups (Read & manage)” permissions set, and no others. The server administrator’s PAT was set to “full access”. Both PATs were set to a 30-day expiry and were generated on the day we used them, so they definitely hadn’t expired.
Under IIS, the app running Azure Dev Ops has Anonymous and Windows authentication enabled, and everything else disabled.
Agent Version and Platform
We’re running Azure Dev Ops Server version 17.153.29226.8 on Windows Server 2012 R2.
The agent we’re trying to configure is version 2.153.1 on Windows Server 2012.
Both are x64.
Similar issues
- #1839 was solved by disabling Basic Authentication; this is disabled on our server
- #1543 was closed because the user found a workaround; problem looks similar but they never solved it
- #759 was solved by uninstalling “Client Certificate Mapping With Active Directory”; this is not installed on our server
Diagnostic Logs
About this issue
- Original URL
- State: closed
- Created 5 years ago
- Comments: 29 (6 by maintainers)
@anaximander23 could it be that you generated organization scoped PAT? I was like: “been there done that” (regarding agent registration with PAT) and then battled this same issue. Only to realize, when generating token, Organization by default was set to some specific org, and had to set: “All accessible organizations”
I just hit this same issue. This is the first time deploying an agent since installing the September 2019 patch. I worked around the issue by using “Negotiate” for authentication instead of “PAT”
Tried again with “Negotiate” and entered the credentials for the agent pool administrator. Same error message.
my issue is solved by changing the option while creating the token set it to organizational level
Use “https://[servername]/[organizationname]” Infos: https://developercommunity.visualstudio.com/solutions/802663/view.html
Use “https://[servername]/[organizationname]” worked for me. Thanks!
Hi,
We have the same issue here.
Use case: Trying to authenticate for the configuration of a build agent with a PAT on the machine hosting Devops Server (so no proxy/network stuff in between).
The config.cmd call with PAT authentication returns:
_diag.txt
using Chrome wit the identity on the server and hitting the URL provided in the _diag: <server>/tfs/_apis/connectionData?connectOptions=0&lastChangeId=32&lastChangeId64=32 does return a JSON content with values in it (not sure if it is safe to post it here).
logging Failed requests within IIS returns:
I verified that the Basic token from request is correct, the decoded value is “VstsAgent:<value_of_the_PAT>”
Please advise, thanks.