TeamCity artifact dependency fails (401 Unauthorized on agent)


I'm trying to get an artifact dependency working, but the artifact fails to get pushed to the agent (which is on another machine). The server (v8.1.1) is sitting behind an IIS reverse proxy.

Build log:

[20:00:52]Skip checking for changes - changes are already collected
[20:00:53]Publishing internal artifacts (23s)
[20:00:53][Publishing internal artifacts] Sending using WebPublisher
[20:00:54][Publishing internal artifacts] Sending using ArtifactsCachePublisher
[20:00:53]Clearing temporary directory: Z:\BuildAgent\temp\buildTmp
[20:00:53]Checkout directory: Z:\BuildAgent\work\e4249c2d6a4e9e8d
[20:00:53]Resolving artifact dependencies (45s)
[20:00:53][Resolving artifact dependencies] Destination directory [Z:\BuildAgent\work\e4249c2d6a4e9e8d] cleaned
[20:01:38][Resolving artifact dependencies] Failed to resolve artifact dependency <MyProject :: Release Build, build #1.3.500.644 [id 735]>: Failure while downloading artifact list from server:  [ - Failed to download [https://myserver/httpAuth/repository/download/bt3/735.tcbuildid/teamcity-ivy.xml]: Illegal status [401] while downloading https://myserver/httpAuth/repository/download/bt3/735.tcbuildid/teamcity-ivy.xml: Unauthorized] (jetbrains.buildServer.artifacts.ResolvingFailedException)
[20:01:38]Build failed to start. Artifacts will not be published for this build
[20:02:02]Build finished

The agent log also contains "WARN - jetbrains.buildServer.AGENT - "Authorization" header is not specifiedTo login manually go to "/login.html" page"

If I use the "Check artifact dependencies" button on the Dependencies settings page, everything is OK.

Can somebody tell me what I'm doing wrong here?

Comment actions Permalink

Agent is given special credentials before starting build to be able to download required artifacts dependencies from server.

In your case these credentials don't reach the server. Probably, it's something with your reverse proxy. I would recommend you to dump all request headers from agents to IIS and to teamcity correspondingly to see where authorization header goes.

Comment actions Permalink

I somehow missed that the agent downloads artifacts from the server, I thought they got pushed to the agent.
After checking the request headers, I found out that the following headers were sent:

WWW-Authenticate: Basic realm="TeamCity"
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM

...which means we have Windows Authentication enabled for the reverse proxy site in IIS.
I think the TeamCity agent tried to authenticate via NTLM, which of course never worked as the temporary credentials from the server aren't valid in AD.
After removing WinAuth it worked fine :-)


Please sign in to leave a comment.