401.1 Permission error with on-premises TFS when accessing the API with a PAT
Background
If you are creating VSTS build extensions you will need to get the build or release’s PAT token if you wish to call the VSTS REST API.
This is done using a call like this (Node)
1import tl = require('vsts-task-lib/task');
2
3var auth = tl.getEndpointAuthorization('SYSTEMVSSCONNECTION', false);
4
5if (auth.scheme === 'OAuth') {
6
7var token = auth.parameters\['AccessToken'\];
or (PowerShell)
1$vssEndPoint = Get-ServiceEndPoint -Name "SystemVssConnection" -Context $distributedTaskContext
2
3$personalAccessToken = $vssEndpoint.Authorization.Parameters.AccessToken
You pop the resultant PAT into the headers of your REST web request and you are away and running.
The Problem
I hit a problem using this logic on VSTS Extension when they are run on TFS. On VSTS all was fine, but on TFS I got an unexpected 401.1 permission error on the first REST call i.e. I could not access the VSTS REST API
I tried setting fiddling with rights of my build user account, it was not that. Also I tried setting the ‘Allow scripts to access OAuth token’ property for the build/release agent
But this does not help either. This option just makes the PAT available as an environment variable, so you don’t need to use the code shown above.
And anyway – it was all worked on VSTS so it could not have been that!
Solution
The answer was I had basic authentication enabled on my Test TFS VM, as soon as this is disabled (the default) everything leapt into life.