TFS 2015 Build vNext - Build Failed

Having just installed the shiny new bits from TFS 2015, I was itching to give build vNext a go.

I created a basic build definition and tried to run it. I was unceremoniously brought back to reality with the following error everytime I queued a new build.

Object reference not set to an instance of an object

The error occurred as soon as I clicked Queue Build and looked like this.


Detective Work

I started by looking in the logs for the build agent, but there was nothing valuable there.

I then decided to look at the Event Logs on the build agent... nothing.

I looked at the Event Logs on the TFS server and saw:

System.Security.Cryptography.CryptographicException: Access denied.

   at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr)
   at System.Security.Cryptography.X509Certificates.X509Utils._LoadCertFromBlob(Byte[] rawData, IntPtr password, UInt32 dwFlags, Boolean persistKeySet, SafeCertContextHandle& pCertCtx)
   at System.Security.Cryptography.X509Certificates.X509Certificate.LoadCertificateFromBlob(Byte[] rawData, Object password, X509KeyStorageFlags keyStorageFlags)
   at System.Security.Cryptography.X509Certificates.X509Certificate2.Import(Byte[] rawData)
   at Microsoft.TeamFoundation.Framework.Server.TeamFoundationStrongBoxService.<>c__DisplayClass4.<RetrieveFileAsCertificate>b__2()
   at Microsoft.TeamFoundation.Framework.Server.StrongBox.StrongBoxCache.GetCertificate(TeamFoundationRequestContext requestContext, StrongBoxItemInfo item, Func`1 missDelegate)
   at Microsoft.TeamFoundation.Framework.Server.TeamFoundationStrongBoxService.RetrieveFileAsCertificate(TeamFoundationRequestContext requestContext, StrongBoxItemInfo item, Boolean exportable)
   at Microsoft.VisualStudio.Services.DelegatedAuthorization.DelegatedAuthorizationConfigurationService.GetSigningCredentials(TeamFoundationRequestContext requestContext)
   at Microsoft.VisualStudio.Services.DelegatedAuthorization.PlatformDelegatedAuthorizationService.IssueSessionToken(TeamFoundationRequestContext requestContext, Nullable`1 clientId, Nullable`1 userId, String displayName, Nullable`1 validTo, String scope, IList`1 targetAccounts, SessionTokenType tokenType)
   at Microsoft.TeamFoundation.DistributedTask.Orchestration.Server.TaskHub.GeneratePersonalAccessToken(TeamFoundationRequestContext requestContext, TimeSpan tokenDuration, Identity identity)

This looks promising. As this is an Access Denied error, I loaded ProcMon and recorded whilst I queued another build. I saw the following in ProcMon.


Tip: You can quickly locate these type of issues by searching for "denied" in ProcMon

Here we can see that the user TFSService was denied write permission to c:\programdata\microsoft\crypto\rsa\machinekeys

Solution (TL;DR)

The user that your TFS Job Agent (Service Account) is running under needs read/write permission to c:\programdata\microsoft\crypto\rsa\machinekeys on the TFS server. Once you have set this up, your builds should start succeeding.