TF.exe and TfSecurity.exe authentication on AzureDevOps

Question

I have a piece of legacy c# code (console application) that runs as a nightly batch and fires off TF.exe and TFSSecurity.exe commands at AzureDevOps. The commands are built by the c# code and then executed by means of launching PowerShell and executing them. All have worked fine until now, but lately, it started failing for tf30063 authentication errors.

TF30063: You are not authorized to access https://dev.azure.com/

As part of my troubleshooting I have picked a few of these commands that are being built and executed them in an interactive PowerShell session.

tf permission /recursive $/<tfs_project_name>/ /collection:https://dev.azure.com/<organization_name>/
TFSSecurity /imx adm: /collection:https://dev.azure.com/<organization_name>/

It produces the same result - TF30063: You are not authorized to access https://dev.azure.com/.

The logged-on user (where the commands are run) is able to access this AzureDevOps URL via a browser.

Digging a bit deeper I ran the command: tf settings connections help which returned the following output:

Server Url : https://<organization_name>.visualstudio.com/  
User       : 

I was actually expecting the passed URL here: https://dev.azure.com/
Not sure how this URL got there, or how to get it out - but, be that as it may, the empty user field arouses some suspicion.

I am really trying to figure out what the authentication flow/procedure is when executing these commands (TF and TFSSecurity) in Powershell. I have been prompted for authentication by an AzureDevOps dialog once, but where do these provided credentials stored? And for how long? I have been snooping around the Windows credentials in the Credential Manager, here I found some bits and pieces - but nothing conclusive.

Question:
Does anybody perhaps know how these 2 applications (tf.exe and TfSecurity.exe) handles authentication and storing of credentials?

System specs:
OS: Windows Server 2016
Powershell Version: 5.1.14393.3053
Location (version) of the tf.exe and TfSecurity.exe C:\\Program Files (x86)\\Microsoft Visual Studio\\2017\\Enterprise\\Common7\\IDE\\CommonExtensions\\Microsoft\\TeamFoundation\\ Team Explorer>

Answer 1

The cached credentials that tf.exe referenced might get corrupted. We donot know what caused this issue, nor can we give a certain method to fix this. You have to try below possible solutions to narrow down the fix.

1,

Using the browser from within your Visual Studio, View->Other Windows->Web Browser and navigate to the https://dev.azure.com/ . Then check if it is logged in the wrong account, log out and relog in if wrong account is logged in.

2,

Running the following command from the Developer Command Prompt for VS:

tf workspaces /collection:https://dev.azure.com/<organization_name>

3,

Go to Team Explorer > Manage Connections (Little Plug next to Home button) > Right Clicked on Project > Connect. Then reenter in your credentials.

4, To clear all the caches

Close all Visual Studio instances, delete %LOCALAPPDATA%.IdentityService as you did.

Clear TFS caches %LOCALAPPDATA%\\Microsoft\\Team Foundation\\7.0\\Cache

Clear all the browser caches especially for the stored password

5, Run Visual Studio as another user:

cd C:\\Program Files (x86)\\Microsoft Visual Studio\\2017\\Enterprise\\Common7\\IDE

runas /netonly /user: devenv.exe

Enter the user possword, then Team Explorer > Manage Connections

If none of the obove method fixes this issue. Please check here and here for more possible solutions.

You can also report a problem toMicrsoft Develop community (Report a problem > Azure Devops) if above issue persist.

For Server Url : https://.visualstudio.com/. It is the old version dev.azure.com domain name . The official document says it can be used as usual.

Update:

TF30063 error for TFSSecurity

The cached credentials for TFSSecurity is stored in the registry. You can delete it.

HKEY_CURRENT_USER\Software\Microsoft\VSCommon\14.0\ClientServices\TokenStorage\VisualStudio\VssApp

After you deleted the cached credentials in above registry. It will prompt you to re-enter the credential when you run tfssecurity.exe command again.