When selecting a project in Urban Turtle 4, an AccessCheckException is thrown and the following message is received.
Access Denied: NETWORK SERVICE needs the following permission(s) to perform this action: Make requests on behalf of others
This error is caused by the Web Access process identity not having service-level permissions for the Team Foundation application instance by default in TFS 2012. The permission can be granted by adding the user to the Team Foundation Service Accounts group using the tfssecurity utility.
Solution for the default installation
If a default installation of Team Foundation Server 2012 is present, the following command can be pasted directly on the console of the computer hosting the TFS server:
"C:\Program Files\Microsoft Team Foundation Server 11.0\Tools\tfssecurity" /g+ "[TEAM FOUNDATION]\Team Foundation Service Accounts" n:"NT AUTHORITY\NETWORK SERVICE" /server:"http://localhost:8080/tfs"
Administrator privileges are needed for the operation to succeed.
Solution for non-standard installation
The tfssecurity utility is needed to add the user to the TFS security group. By default, it is located in the C:\Program Files\Microsoft Team Foundation Server 11.0\Tools\ directory. The command requires the following parameters:
tfssecurity /g+ "[TEAM FOUNDATION]\Team Foundation Service Accounts" n:"[user]" /server:"http://[server name]:[server port]/tfs"
The /g+ options tells tfssecurity to add a user to a group
The [user] parameter specifies which user Web Access is running under. The information can be found in the Internet Information Service Manager by opening the Advanced settings for Application Pool/Microsoft Team Foundation Server Application Pool. The IIS manager can usually be fired from the Start/Administrative Tools menu.
Under Process Model/Identity is the identity under witch TFS is configured to run. This identity corresponds to a user name configured by default in Windows. It is that user name that has to be specified with the command line utility.
Identity name Corresponding user name NetworkService NT AUTHORITY\NETWORK SERVICE LocalService NT AUTHORITY\LOCAL SERVICE LocalSystem NT AUTHORITY\SYSTEM
Note: The account names can change depending on the language of your operating system. For example, in french, NT AUTHORITY\NETWORK SERVICE becomes AUTORITE NT\SERVICE RÉSEAU.
If it is wanted to run Web Access under a specific user name, then this user name must be specified on the command line.
The [server name] is the URL pointing to the TFS server that needs to be configured. If the tfssecurity utility is run on the computer on which TFS installed, it is possible to use http://localhost.
- The [server_port] is the port TFS is listening to. The default value is 8080.
To configure the local TFS server that runs under the NetworkService identity and listens to the default 8080 port, the command would be:
tfssecurity /g+ "Team Foundation Service Accounts" n:"NT AUTHORITY\NETWORK SERVICE" /server:"http://localhost:8080/tfs"
Again, administrator privileges are needed for the operation to succeed.
If the operation succeeds, the modification should be visible trough the Team Foundation Administration Console.
Selecting Group membership, brings the following window:
Selecting Team Foundation Service Account and Properties brings up the list of all the users member of the group.
The NT AUTHORITY\NETWORK SERVICE should be visible on the list just like in the previous screenshot.
Urban Turtle should work properly next time a user selects a project in Web Access.