How to: Configure the Service Account for the Testing and Workflow Integration
If you use the Lab Management workflow either to build, deploy, and test your application; or to just run automated tests or manual tests in a virtual environment, you must configure the lab service account. This topic describes the function, permissions, and configuring of the lab service account. You can also find additional information about the lab service account on this Microsoft website.
This topic describes the function, permissions, and configuration of the lab service account. You can find more information about the lab service account on this Microsoft website.
Lab Management uses the lab service account to communicate between the test agent and the test controller and between the build agent and Team Foundation.
Using the lab service account is highly recommended, but not mandatory because you can also use local accounts on each machine. However, by configuring the lab service account in the Team Foundation Administration Console, you do not have to take the time to provision permissions manually or assign agents and controllers to specific service accounts.
The lab service account lets you to run the build, test, and lab agents under any system account. However, when you configure the lab service account, the account is automatically given only the minimum set of permissions that are required for the test and build agents to communicate with their controllers. These permissions will allow the following communication:
The test agent will be able to communicate with the test controller. In testing-capable virtual environments, the test agent uses the lab service account to communicate with the test controller. This account is used only for the communication channel between the test agent and the test controller and is not used to actually run the test agent. The test agent continues to run tests and collect logs. It uses the account that was configured when you used the Test Agent Configuration tool.
The build agent will be able to communicate with Team Foundation Server. The lab service account is automatically added to the Project Collection Build Service Accounts group. In workflow-capable virtual environments, the build agent uses the lab service account to communicate with Team Foundation. This account is used only for the communication between the build agent and Team Foundation and is not used to run the build agent. The build agent uses the account that was configured when you used the administration console. Make sure that the build agent runs under a domain or system account that has administrative privileges on the local machine.
Configuring the lab service account does not automatically give the account read permissions the build drop location. You must manually add the lab service account to the accounts that can read the build drop location.
The build agent will access the build drop location using the lab service account. The build agents used by the lab workflow are not configured with the same permissions as the build agents used to compile a build. The build agents used to compile the source files are given read permissions in the source control system. Because the build agents used by the lab workflow do not have to read the source files, they are explicitly denied all permissions on source control artifacts in the project collection. The build agents in the lab workflow are used only to execute the deployment scripts specified in the workflow template. Before each deployment script is executed, the build agent configures its logged-on session to access the drop location by using the lab service account. When the script is complete, the build agent removes that configuration.
The first time that you configure the lab service account, you should use the Team Foundation Administration Console. For more information, see Configuring Lab Management for the First Time. When you select a system account to use for the lab service account, follow these guidelines:
The lab service account must be a domain account.
The lab service account should not be a member of the Administrators security group on any machine. Although the account information for the lab service account is stored securely on Team Foundation Server, it might not be stored securely on individual virtual machines.
The service account should not be the account that is used for the build controller, test controller, or any other trusted service. Those service accounts need more permissions than the agents need.
The service account should have limited user permissions.
To reduce the risk that the testing or workflow capabilities become unavailable when the password is changed for this account, we recommend that you create two accounts to use for this service account.
The team project collection administrator should be the only user who has permission to change the password of the service account.
After you have configured the lab service account for your team project collection, you can view the configured account information under the Lab Management tab for the project collection in the Team Foundation Administration Console. We recommend that you change this service account regularly for security reasons.
You can change the service account using the Administration Console for Team Foundation. Or, you can use the command-line to change the service account. For more information about the command-line utility TFSLabConfig, see Configuring Lab Management with TFSLabConfig.
Use the following procedures to configure the service.
To configure the service account to enable testing and build workflow capabilities
In the Team Foundation Administration Console, click Team Project Collections under Application Tier.
In the right-side pane, click the appropriate team project collection from the list of project collections.
Click the Lab Management tab, and then click Configure User Account.
To change the service account, click Service Account.
On the Service Account tab, type the name of your account in Account Name and the password in Password.
To make sure that the user account is valid, click Test.
If you have existing environments when you change this service account, these environments are not automatically updated. The testing and workflow capabilities might show a status that they are not ready. Click Try Again from the error message shown in the Environments view for Microsoft Test Manager and the new username and password will be updated. The capabilities will now show the ready state. Or, you can use the command-line utility TFSLabConfig to update all the existing environments: TFSLabConfig UpdateServiceAccountOnDeployedEnvironments Command. The command-line utility will not affect any operations, such as workflow or testing, that are currently running.
Use the following procedures to switch between two service accounts. This reduces the risk that the testing or workflow capabilities could become unavailable.
To switch between two service accounts to reduce the risk that the testing or workflow capabilities become unavailable
Find the password expiration policy for your domain. In this procedure, the default value of 42 days is assumed.
Set the password expiration to be 42 days for both accounts, Account1 and Account2.
Use Account 1 as the service account.
After 21 days (half of the expiration period), reset the password for Account2. Then configure Account2 to be the service account using the previous procedure.
Every 21 days (half of the expiration period), you must repeat step 4 by resetting the password and configuring the account that is not currently being used to be the service account.
When you configure or update the service account for Team Foundation, the account is not automatically updated on each existing environment. You have two options to propagate the updated account to the existing environments:
Run the command UpdateServiceAccountOnDeployedEnvironments which will push the account to each environment in a project collection. For more information about this command, see TFSLabConfig UpdateServiceAccountOnDeployedEnvironments Command.
Do any of the following operations on each environment.
Repair the testing and workflow capability.
Make a change in the virtual environment.
Restore the environment to a snapshot.
We recommend that you use the UpdateServiceAccountOnDeployedEnvironments command to update the service account. Using this command does not affect any running operations, such as workflows or test runs, in any of the environment. After using this command, the account is pushed to the environment and the agents apply the command like this:
Test agents that are not busy running tests apply it immediately.
Test agents that are running tests apply the command after the test run is finished.
Build agents apply the new service account when the build agent service is restarted. The agent service is restarted if the workflow capability is repaired, the environment is started, or a snapshot for an environment is restored.