Having just installed the shiny new bits from TFS 2015, I was itching to give build vNext a go.
I created a basic build definition and tried to run it. I was unceremoniously brought back to reality with the following error everytime I queued a new build.
Object reference not set to an instance of an object
The error occurred as soon as I clicked Queue Build and looked like this.
Detective Work
I started by looking in the logs for the build agent, but there was nothing valuable there.
I then decided to look at the Event Logs on the build agent... nothing.
I looked at the Event Logs on the TFS server and saw:
System.Security.Cryptography.CryptographicException: Access denied.
at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr)
at System.Security.Cryptography.X509Certificates.X509Utils._LoadCertFromBlob(Byte[] rawData, IntPtr password, UInt32 dwFlags, Boolean persistKeySet, SafeCertContextHandle& pCertCtx)
at System.Security.Cryptography.X509Certificates.X509Certificate.LoadCertificateFromBlob(Byte[] rawData, Object password, X509KeyStorageFlags keyStorageFlags)
at System.Security.Cryptography.X509Certificates.X509Certificate2.Import(Byte[] rawData)
at Microsoft.TeamFoundation.Framework.Server.TeamFoundationStrongBoxService.<>c__DisplayClass4.<RetrieveFileAsCertificate>b__2()
at Microsoft.TeamFoundation.Framework.Server.StrongBox.StrongBoxCache.GetCertificate(TeamFoundationRequestContext requestContext, StrongBoxItemInfo item, Func`1 missDelegate)
at Microsoft.TeamFoundation.Framework.Server.TeamFoundationStrongBoxService.RetrieveFileAsCertificate(TeamFoundationRequestContext requestContext, StrongBoxItemInfo item, Boolean exportable)
at Microsoft.VisualStudio.Services.DelegatedAuthorization.DelegatedAuthorizationConfigurationService.GetSigningCredentials(TeamFoundationRequestContext requestContext)
at Microsoft.VisualStudio.Services.DelegatedAuthorization.PlatformDelegatedAuthorizationService.IssueSessionToken(TeamFoundationRequestContext requestContext, Nullable`1 clientId, Nullable`1 userId, String displayName, Nullable`1 validTo, String scope, IList`1 targetAccounts, SessionTokenType tokenType)
at Microsoft.TeamFoundation.DistributedTask.Orchestration.Server.TaskHub.GeneratePersonalAccessToken(TeamFoundationRequestContext requestContext, TimeSpan tokenDuration, Identity identity)
This looks promising. As this is an Access Denied error, I loaded ProcMon and recorded whilst I queued another build. I saw the following in ProcMon.
Tip: You can quickly locate these type of issues by searching for "denied" in ProcMon
Here we can see that the user TFSService was denied write permission to c:\programdata\microsoft\crypto\rsa\machinekeys
Solution (TL;DR)
The user that your TFS Job Agent (Service Account) is running under needs read/write permission to c:\programdata\microsoft\crypto\rsa\machinekeys on the TFS server. Once you have set this up, your builds should start succeeding.