The MachineKeys directory is configured with non-default permissions
The information in this article applies to:
Visual Studio 2005 Team Foundation Server
Visual Studio Team System 2008 Team Foundation Server
Application-tier server
Health check
The Best Practices Analyzer tool for Team Foundation Server checks the security descriptor for the MachineKeys directory. An error appears if the MachineKeys directory is not set to use default permissions. The text of the error indicates the directory path where the non-default permissions are set.
If the service account for Team Foundation Server does not have full access to the MachineKeys directory, you might have problems accessing and using the Web services for Team Foundation Server. To resolve this issue, use Windows Explorer to change the permissions for the MachineKeys directory.
Required Permissions
To perform these procedures, you must be a member of the Administrators security group on the application-tier server for Team Foundation.
To change the permissions for the MachineKeys directory in Windows Server 2003
Log on to the application-tier server.
Open Windows Explorer, and locate the directory path that is contained in the text of the error.
The default path is Drive:\Documents and Settings\all users\Application Data\Microsoft\Crypto\RSA
Right-click the MachineKeys directory, and click Properties.
Note
If the directory does not appear, click Folder Options. On the View tab, click Show hidden files and folders.
The MachineKeys Properties dialog box opens.
Click the Security tab.
Verify that Administrators and Everyone are listed under Group or user names. If they are not listed, add them as follows:
Click Add.
In the Select Users, Computers, or Groups dialog box, for From this location, type the name of the local computer, or click Locations and click the name of the local computer. Click OK.
In Enter the object names to select, type the name of the user group that is missing, and then click Check Names. Click the group account, and click OK twice.
Set the permissions for Administrators and Everyone:
Click the group name (for example, Administrators).
Note
If the Special Permissions check box is selected, do not clear it. This selection grants full access to all file and folder actions.
Click Full Control. This following check boxes should now be selected:
Full Control
Modify
Read & Execute
List Folder Contents
Read
Write
Repeat steps 6a and 6b for Everyone.
Click Advanced.
Select the Replace permission entries on all child objects with entries shown here that apply to child objects check box.
Click OK to confirm the changes.
Click OK to close the dialog box.
To change the permissions for the MachineKeys directory in Windows Server 2008
Log on to the application-tier server.
Open Windows Explorer, and locate the directory path that is contained in the text of the error.
The default path is Drive:\ProgramData\Microsoft\Crypto\RSA.
Right-click the MachineKeys directory, and click Properties.
Note
If the directory does not appear, click Organize, and then click Folder Options. On the View tab, click Show hidden files and folders.
The MachineKeys Properties dialog box opens.
Click the Security tab.
Verify that Administrators and Everyone are listed under Group or user names. If they are not listed, add them as follows:
Click Edit, and then click Add.
In the Select Users, Computers, or Groups dialog box, in From this location, type the name of the local computer, or click Locations and click the name of the local computer. Click OK.
In Enter the object names to select, type the name of the user group that is missing, and then click Check Names. Click the group account, and click OK twice.
Set the permissions for Administrators and Everyone:
Click the group name (for example, Administrators).
Note
If the Special Permissions check box is selected, do not clear it. This selection grants full access to all file and folder actions.
Click Full Control.
The following check boxes are selected automatically:
Full Control
Modify
Read & Execute
List Folder Contents
Read
Write
Repeat steps 6a and 6b for Everyone.
Click Advanced.
Select the Replace all existing permissions on all descendants with inheritable permissions from this object check box.
Click OK to confirm the changes.
Click OK to close the dialog box.
See Also
Tasks
The built-in Users group does not have the necessary permissions