401 when using api in on-prem TFS 2017

[jeffpriz]

I am attempting to create a Build task in node, that leverages this api. I have looked through the samples, and I am attempting to use much of the code in the common.ts for getting the WebApi object.
My code looks like this:

export async function getWebApi(pwd:string): Promise<vm.WebApi> {
    return new Promise<vm.WebApi>(async (resolve, reject) => {
        try {
            console.log("in the common getter");
            let serverUrl = 'https://mylocalserver/tfs/mycollection';
            let token = ' my PAT on the server, that has full access ';
            let authHandler = vm.getPersonalAccessTokenHandler(token);      
            let option = {
            ignoreSslError: true
             };
            
            let vsts: vm.WebApi = new vm.WebApi(serverUrl, authHandler,options);
            console.log("got web api?");
            let connData: lim.ConnectionData = await vsts.connect();
            console.log('Hello ' + connData.authenticatedUser.providerDisplayName);
            resolve(vsts);
        }
        catch (err) {
            console.log("error in get api " + err.message);
            reject(err);
        }
    });

The code ends up erroring with "Invalid Resource".. not the most helpful message.. Debugging locally through VSCode, I found that the status coming back to the REST call was a 401-Unauthorized. I put some debug messages in the javascript of rest client to verifiy that the same error was coming when running on the server, and indeed that's the same result. I tried switching out the PAT Handler for the Ntlm Handler, but the same results.

Not sure why the 401? If I hit the URI that the Rest call is making in my browser window, it comes back with the Json successfully.

any help would be super appreciated at this point.

[jeffpriz]

Looks like the VSCode folks also were running in to some trouble with Ntlm and TFS On-Prem, any chance that their Ntlm fix might roll over to this?

microsoft/azure-repos-vscode#59

[bryanmacfarlane]

A build task should not use the identity the agent runs as. We generate a bearer OAuth token per build to talk back to vsts (even on-prem) which represents the build service account.

See here: https://github.com/Microsoft/vsts-task-lib/blob/master/node/docs/stepbystep.md

And here specifically: https://gist.github.com/bryanmacfarlane/154f14dd8cb11a71ef04b0c836e5be6e#file-vsts_sample-ts

[jeffpriz]

Bryan, thanks for that, the use of the bearer token from the task getEndpointAuthorizationParameter call works within the build task! thank you!
Just curious about the debug scenarios for this though, this will exclude me from simply running my node code in debug mode in VSCode, as the Ntlm and PAT auth objects still fail. Developing locally would be feasible if I could authenticate locally within VSCode (but swapping to the bearer for when running through a task), or as your step-by-step link shows running node against my file will simply error when it doesn't run within a task.

[nadavsinai]

We are also experiencing this issue - We wrote a CLI that uses vsts-node-api to connect to our on premise TFS 2017 to get some repo details that should be restricted to the logged on user - our cli asks for credentials that we then want to forward to the NTLM auth provider but we get the 401 Unauthorized response with both NTLM and basic auth,

any ideas?

[bryanmacfarlane]

@nadavsinai - try using a PAT token. 2017 TFS should support.

@jeffpriz - for debugging vs in task, see this line of code: https://gist.github.com/bryanmacfarlane/154f14dd8cb11a71ef04b0c836e5be6e#file-vsts_sample-ts-L16

[jeffpriz]

@bryanmacfarlane but the whole trouble is that the getPersonalAccessTokenHandler doesn't work.. that's what initially caused me to post this. It throws a "Invalid Resource" error, and after digging in to the root, there is a 401..

[bryanmacfarlane]

Thanks. I’ll try and repro on my side

[newblord]

@bryanmacfarlane i am also getting this error as well. Here is the response html content:

I checked my PAT and i have full access to it. Currently using version 5.1.2 works but do not have access to some of the new apis added in the preview.

Edit: I just tried PAT on 5.1.2 and i get a similar error. NTLM is the only thing that works for 5.1.2.

Usin NTLM on latest version throws this error: TF400813: Resource not available for anonymous access. Client authentication required.

`

<title>401 - Unauthorized: Access is denied due to invalid credentials.</title> <style type="text/css"> </style>

Server Error

401 - Unauthorized: Access is denied due to invalid credentials.

You do not have permission to view this directory or page using the credentials that you supplied.

`

[bryanmacfarlane]

I think we have it figured out. We're doing some testing now. Hopefully we will have a preview version very soon to try out.

[jeffpriz]

@bryanmacfarlane We also were attempting to create a task that ran during a Release, and found that the release did not get a Bearer token generated like the Build did.. what is the expected pattern for creating a Release task? Will the PAT token authentication be the best bet for a Release task? We gave up on writing release tasks in Node at the time, but if the authentication issue is corrected then perhaps its something we could revisit.

[stephenmichaelf]

@jakekrammer-axosoft Are you using the latest version of the library? I am trying to recreate the issue but it's working fine for me, the response I get is:

[{
"id": "",
"name": "",
"url": "*****"
}
]

This is using PAT auth and the token as full access.

You had mentioned:

If I hit the URI that the Rest call is making in my browser window, it comes back with the Json successfully.

Can you do a diff of the failing REST request and the successful one and see what the differences are? The browser request is probably using different auth, this seems like a PAT issue.

[bryanmacfarlane]

We're closing for now since the latest version with our tests work now. If someone has the lastest version and can answer Stephen's questions above, we can re-open and investigate

[TiredOfProgramming]

Why do we create an issue with the wording "TFS" in the title, whereas the whole repo is about vsts-node-api? From my understanding TFS and VSTS completely two different instances. No?

[stephenmichaelf]

The on prem version is generally referred to as TFS and the cloud version VSTS. Same code base (for the most part). Yes it's confusing :)

[kevinrusson]

I'm having the same issue reported above using an on-prem TFS 2018 RTW (Version 16.122.27102.1) and vso-node-api 6.5.0 (latest version).

I'm trying to authenticate using a PAT:

const collectionUrl = `${config.tfs.url}/DefaultCollection`;
const authHandler = vsts.getPersonalAccessTokenHandler("PAT here");
this.connection = new vsts.WebApi(collectionUrl, authHandler);
const witApi: IWorkItemTrackingApi = await this.connection.getWorkItemTrackingApi();

No matter what I do I get an "Invalid Resource" response.

Any thoughts on the latest version?

[stephenmichaelf]

@kevinrusson Can you send me the specific request/response that is giving you the error?

stfrance at microsoft dot com