At a customer I migrated the TFS 2012 to the new TFS 2017. Due to company restrictions this had to be 2008 R2 Server.
The Migration was just fine and everything seemed to be OK. But after a while the TFS Icons began to dissappear from the web portal.
And when debugging the portal i noticed the following errors.
After some digging around in the IIS log i found this line:
2017-03-06 07:52:54 145.83.230.163 GET /favicon.ico - 80 XXX\XXXSEGAA 145.83.164.105 Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/56.0.2924.87+Safari/537.36 500 0 1346 171
The status code at the end of the line: 500 0 1346 is the savior. After running it through the command “net” the actual error revealed itself.
net helpmsg 1346 => Either a required impersonation level was not provided, or the provided impersonation level is invalid.
Now I knew that its account based instead of something wrong with the installation. Well TFS has a few accounts to look into but because its web related I suspected that it would be the application pool user.
Google is your friend 🙂 and I found out that there is a group policy for the impersonation level. Run gpedit.msc
There it was the local administrators group, Local Services, Network Service, Service did have access but my application pool account wasn’t in any of them. After the security ticket was executed to add the applicationpool user to this policy everything worked fine.
Updated the solution. After some more digging around I noticed the real problem (policies) so that you don’t need to install a IIS MetaBase compatibility mode anymore.