Share via

TFS 2015 Release Management Service: Setting up Deploying to an Untrusted Domain

  • Article

To set up an Agent (build/release agent), in an untrusted domain, follow the below steps.

  1. Create a local user in TFS App Tier machine, say rmshadowagent.

https://lh3.googleusercontent.com/-nRCyb9iKNt4/V1g2EaMrfeI/AAAAAAAAHR4/O0BarAw6ey0/image_thumb%25255B2%25255D.png?imgmax=800

  1. Navigate to TFS control panel using http://yourtfs:8080/tfs/_admin/_AgentPool and create a new agent pool. Then download the agent.zip file and keep it to copy over to the target agent machine.https://lh3.googleusercontent.com/-jR_gtODvVDI/V1g2G6jAj_I/AAAAAAAAHSM/KkeMVBKkHQk/image_thumb%25255B7%25255D.png?imgmax=800

  2. Select the agent pool and click on Roles. Add the local user (rmshadowagent) created in TFS App Tier to the “Agent Pool Administrators” role, by clicking Add and then “Add Windows user or group”.https://lh3.googleusercontent.com/-6Gd_xcCMuak/V1g2I5JRleI/AAAAAAAAHSc/D9nhp9DDoYs/image_thumb%25255B19%25255D.png?imgmax=800

https://lh3.googleusercontent.com/-3C3Y5Ij4u9A/V1g2KV9h5fI/AAAAAAAAHSo/xsS2vZYH6BM/image_thumb%25255B22%25255D.png?imgmax=800

  1. Add the same user to “Agent Pool Services Accounts” role for the selected pool.https://lh3.googleusercontent.com/-xym_3r5ZzHI/V1g2MPE5CCI/AAAAAAAAHS0/5uy2H_wYwX0/image_thumb%25255B30%25255D.png?imgmax=800

  2. Copy over the agent.zip downloaded to the untrusted domain machine (agent machine). This machine should have access to yourTFSs URL. This can be achieved by exposing your TFS via www. Then a machine with an internet connection having access to the TFS URL can be an agent. Create folder for your agent. Example – C:\DeployAgent\Web, and extract agent.zip to it.https://lh3.googleusercontent.com/-FJ540tAysGw/V1g2OzYtkrI/AAAAAAAAHTE/B1CME8J4b4s/image_thumb%25255B33%25255D.png?imgmax=800

https://lh3.googleusercontent.com/-KcB7GoPpXaU/V1g2QUlhjKI/AAAAAAAAHTY/V8_4hApROes/image_thumb%25255B36%25255D.png?imgmax=800

https://lh3.googleusercontent.com/--KXC7lcID3k/V1g2SN7pAZI/AAAAAAAAHTo/dkiUhj4O9ks/image_thumb%25255B42%25255D.png?imgmax=800

  1. Create a working folder in agent machine for the agent.https://lh3.googleusercontent.com/-YYEZFLzOgCs/V1g2T4yaUNI/AAAAAAAAHT4/S1q1uU9rZak/image_thumb%25255B45%25255D.png?imgmax=800

  2. In agent machine, if there is any credential remembered in the control panel for the TFS URL, remove them. This is to make sure that you can provide credentials when configuring the agent.https://lh3.googleusercontent.com/-MOc9uER7YSY/V1g2VTJx1nI/AAAAAAAAHUI/1sP7lH_WpCA/image_thumb%25255B48%25255D.png?imgmax=800

https://lh3.googleusercontent.com/-eGfwNV-eo5s/V1g2XIVvptI/AAAAAAAAHUc/-r-f920jndw/image_thumb%25255B55%25255D.png?imgmax=800

https://lh3.googleusercontent.com/-XE0bsZ1W368/V1g2Y7f9O2I/AAAAAAAAHUs/9B_wN6FYD5A/image_thumb%25255B51%25255D.png?imgmax=800

  1. In the agent machine create a user with the same user name say “rmshadowagent” and with the same password you created in the TFS App Tier. (Add this user to Administrators group in agent machine to allow it to perform any activity in the machine as a deployment agent).https://lh3.googleusercontent.com/-RvZv6etrmew/V1g2aqGSzMI/AAAAAAAAHU4/r6J3nqriCK0/image_thumb%25255B58%25255D.png?imgmax=800

https://lh3.googleusercontent.com/-928mpE6jZO0/V1g2cjcp4KI/AAAAAAAAHVI/H4tb65Jh9zo/image_thumb%25255B61%25255D.png?imgmax=800

  1. Run a command prompt as administrator in the agent machine and change the directory to extracted agent folder. Then execute ConfigureAgent.cmd and provide the parameters to configure.
  • Name for the agent
  • TFS URL – https://yourtfs/tfs
  • Agent pool name
  • Agent working directory path
  • Install agent as service – y
  • Instead of Network Service for the service user – provide .\rmshadowagent
  • Provide the password for the rmshadowagent

https://lh3.googleusercontent.com/-yisN8Mqy150/V1g2eSrTQ6I/AAAAAAAAHVY/GAqm8GMyfCI/image_thumb%25255B65%25255D.png?imgmax=800

  1. Once you click OK it gives below error. But the agent is configured and available to use in the pool.

TF14045: The identity with type 'System.Security.Principal.WindowsIdentity' and

identifier 'S-1-5-21-1292816864-2021176197-253083057-1013' could not be found.

https://lh3.googleusercontent.com/-tFnvfLPGsAk/V1g2f46I7kI/AAAAAAAAHVs/9seTvoo6T4k/image_thumb%25255B69%25255D.png?imgmax=800

https://lh3.googleusercontent.com/-6JgZ17jOee8/V1g2h4iKTlI/AAAAAAAAHV4/e87uqTz7ugc/image_thumb%25255B72%25255D.png?imgmax=800

With this agent in untrusted domain build output gets downloaded successfully confirming agent is running fine.https://lh3.googleusercontent.com/-ql3inPVqqcg/V1g2jaiKgTI/AAAAAAAAHWM/ZiuI-GJZuN0/image_thumb%25255B75%25255D.png?imgmax=800

https://lh3.googleusercontent.com/-opjpufOuOJ8/V1g2lIyHWhI/AAAAAAAAHWc/1oPZw8Q3vBQ/image_thumb%25255B78%25255D.png?imgmax=800