While setting up and configuring TFS for a client, the other day, we ran into a strange error during configuration. The TFS 2010 configuration failed to complete because the TfsJobAgent service could not start. The error was simple and straight-forward: Access Denied.
Usually there are several items to check here:
- Are the credentials for the service account correct? (The error would have told us Logon Failure anyway)
- Does the service account have the Log on as service policy right?
- Is the service account NOT in the Deny log on as service policy?
- Are these policies being locked/overridden via an AD policy, etc.?
Well … we exhausted all of these options and still could not determine the cause. We decided to get a fresh set of eye in on the issue and he pointed out the brutally obvious to us by asking: Does the service account have file system rights to the EXE? Check the ACLs.
Brilliant! Turns out this client restricts folder ACLs on their servers to aid in security and the TFS service account didn’t have access to this folder.
So now I can add this to my “pre-flight” checklist.