TFS 2012 – Issue: TF30063: You are not authorized to access and can’t trace permissions

No matter what permissions you set or what permissions you have you get a “TF30063: You are not authorized to access /Services/v3.0/LocationService.asmx” in SharePoint 2010.

image
Figure: Errors on the TFS components

And you have checked all of the usual suspects and even use the new TFS 2012 permission tracing features to no avail.

image
Figure: Cannot trace permissions on this item

 

Applies to

  • Visual Studio 2012 Team Foundation Server
  • Microsoft SharePoint 2010

Findings

I don’t know how unique my case is, but if you have searched the heck out of “TF30063: You are not authorized to access LocationService” and you still can’t find the issue then it is simple.

You do not have permission to read items in TFS from SharePoint!

tearing_hair_out-300x271
Figure: Ahhhhhhhhhh

But I am logged in as the TFS Service account, TFS Administrator account and a SharePoint Farm Admin… how many more permission do I need! Here is the deal… you have a “deny” in your permission list somewhere. Deny takes presidence over any other permission. So if you have a deny high up but an allow lower down then this is just tough… denied. And if it is doing this for all of your users regardless of permissions or groups then I have a suspension that there is some deny high up in TFS. There are only two groups that apply to everyone…

image
Figure: [TEAM FOUNDATION]Team Foundation Valid User

There are two places to look for global deny’s and that is the “Valid User” groups at either the server or at the collection level.

image
Figure: [DefaultCollection]Project Collection Valid Users

In this case we upgraded from Team Foundation Server 2008 to 2012 so any permissions carried over would be at the Collection level, so lets start there…

image
Figure: Really… denied at the Project Collection Level

I can’t imagine what was trying to be achieved by this… so I will leave you with…

ImpliedFacePalm

-Every company deserves working software that successfully and consistently meets their customers needs on a regular cadence. We can help you get working software with continuous feedback so that your teams can deliver continuous value with Visual Studio Team Services (VSTS), Team Foundation Server (TFS), Azure, & Scrum. We have experts on hand to help improve your process and deliver more value at higher quality.

  • Brad

    I attempted to upgrade from TFS 2012 RC to TFS 2012 RTM and received this error. I however was unable to access anything, even the security permissions in the Admin Console. Any thoughts? I saw a few posts regarding NuGet, which is on the server, but those fixes didn’t work either.

  • Jan Lund Svensson

    I had the same problem. But I could not find any user valid user setting the “deny” set. But instead I choose “Repair Connection” on TFS 2012 “Sharepoint Web Applications” in the TFS adminstration console, and that solved my problem.

  • Mick

    Hi All,

    We just saw this error message today coming from TFS and the problem was that a user’s token had expired because his password had expired. We chased the permissions problem down for about 2 hours until we had the user restart his machine! 🙂

    Mick

  • Pingback: TF30063: You are not authorized…! | Odie's Blog()

  • FIHG

    Hi,

    We have the same problem, but anything we’ve found have solved our problem: permissions, check C drive free space, clean up cache, iisreset, … The particularity about our problem is that it’s located in continuous range of changesets over the same file …

    Any idea would be very appreciated!!!

    • If the OpsHub migration tool corrupted your data then they need to fix it. I would raise this on the MSDN forum for TFS and try to get the Product Team involved with OpsHub…

      • FIHG

        We’ve done it and that is what they told us … before we apply the OpsHub migration tool over our TFS everything was fine … but during the proccess it stopped and after that we’re getting these errors when we try to get these changesets … It seems that they don’t care about this as long as the error is gotten directly when we get the changesets … any other suggestion? The error message is so creepy … Once again, thank you!!!