Having just installed the shiny new bits from TFS 2015, I was itching to give build vNext a go.
I created a basic build definition and tried to run it. I was unceremoniously brought back to reality with the following error everytime I queued a new build.
Object reference not set to an instance of an object
The error occurred as soon as I clicked Queue Build and looked like this.
I started by looking in the logs for the build agent, but there was nothing valuable there.
I then decided to look at the Event Logs on the build agent... nothing.
I looked at the Event Logs on the TFS server and saw:
System.Security.Cryptography.CryptographicException: Access denied. at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr) at System.Security.Cryptography.X509Certificates.X509Utils._LoadCertFromBlob(Byte rawData, IntPtr password, UInt32 dwFlags, Boolean persistKeySet, SafeCertContextHandle& pCertCtx) at System.Security.Cryptography.X509Certificates.X509Certificate.LoadCertificateFromBlob(Byte rawData, Object password, X509KeyStorageFlags keyStorageFlags) at System.Security.Cryptography.X509Certificates.X509Certificate2.Import(Byte rawData) at Microsoft.TeamFoundation.Framework.Server.TeamFoundationStrongBoxService.<>c__DisplayClass4.<RetrieveFileAsCertificate>b__2() at Microsoft.TeamFoundation.Framework.Server.StrongBox.StrongBoxCache.GetCertificate(TeamFoundationRequestContext requestContext, StrongBoxItemInfo item, Func`1 missDelegate) at Microsoft.TeamFoundation.Framework.Server.TeamFoundationStrongBoxService.RetrieveFileAsCertificate(TeamFoundationRequestContext requestContext, StrongBoxItemInfo item, Boolean exportable) at Microsoft.VisualStudio.Services.DelegatedAuthorization.DelegatedAuthorizationConfigurationService.GetSigningCredentials(TeamFoundationRequestContext requestContext) at Microsoft.VisualStudio.Services.DelegatedAuthorization.PlatformDelegatedAuthorizationService.IssueSessionToken(TeamFoundationRequestContext requestContext, Nullable`1 clientId, Nullable`1 userId, String displayName, Nullable`1 validTo, String scope, IList`1 targetAccounts, SessionTokenType tokenType) at Microsoft.TeamFoundation.DistributedTask.Orchestration.Server.TaskHub.GeneratePersonalAccessToken(TeamFoundationRequestContext requestContext, TimeSpan tokenDuration, Identity identity)
This looks promising. As this is an Access Denied error, I loaded ProcMon and recorded whilst I queued another build. I saw the following in ProcMon.
Tip: You can quickly locate these type of issues by searching for "denied" in ProcMon
Here we can see that the user TFSService was denied write permission to c:\programdata\microsoft\crypto\rsa\machinekeys
The user that your TFS Job Agent (Service Account) is running under needs read/write permission to c:\programdata\microsoft\crypto\rsa\machinekeys on the TFS server. Once you have set this up, your builds should start succeeding.