TFS 2017 NuGet publisher task fails with 401 - Unauthorized exception

  • Article

With TFS 2017, we have added the new Package Management feature, which lets you host your NuGet packages in TFS.

Here is a walk-through of how you can use team build to restore and publish NuGet packages, by making use of the NuGet Publisher task

Recently, I have been working with a customer who was testing the package management feature out, by publishing to a feed hosted in TFS, from team build. However, the NuGet Publisher build task was failing with the below exception;

System.AggregateException: One or more errors occurred. ---> NuGet.Protocol.Core.Types.FatalProtocolException: Unable to load the service index for source https://<tfsserver>:8080/tfs/DefaultCollection/_packaging/<feedname>/nuget/v3/index.json. ---> System.Net.Http.HttpRequestException: Response status code does not indicate success: 401 (Unauthorized).

After going through the logs, we decided to try and browse to the json, from the TFS server itself, which gave us the below response.

{"$id":"1","innerException":null,"message":"[TEAM FOUNDATION] \\Team Foundation Service Accounts lacks permission to complete this action. You need to have 'ReadPackages'.","typeName":"Microsoft.VisualStudio.Services.Feed.WebApi.FeedNeedsPermissionsException, Microsoft.VisualStudio.Services.Feed.WebApi","typeKey":"FeedNeedsPermissionsException","errorCode":0,"eventId":3000}

This gave us an indication that this was something to do with the permission for the TFS service account. Upon checking, there were no customization found for permissions at the server level.

One more thing you should be doing to make sure you have the right permissions assigned for the users as well as for TFS service accounts, is setting the appropriate access level in TFS.

Access levels are explained in more detail, here.

In this case, we found that the default access level was set to “Stakeholder”. This would mean that all the accounts in TFS will fall in to this category, unless the accounts are explicitly added to one of the other access level groups.

As explained in this article:

Service accounts are added to the default access level. If you set Stakeholder as the default access level, you must add the TFS service accounts to the Basic or Advanced group.

Once we added the TFS Service account explicitly to the Advanced group, the NuGet Publisher task was successful!

Note: This is just one instance where the issue was caused by incorrect access level being set for the TFS Service account. You might face issues with other functionality as well, hence please make sure to set the access levels for the service accounts appropriately.

Content: Sreeraj Syama Rajendran
Review: Romit Gulati