locked
TFS access across AD trust RRS feed

  • Question

  • In the following article is it is outlined that one way trust is enough to use user access from low trust domain to high trust domain:

    http://msdn.microsoft.com/en-us/library/ms253081(VS.80).aspx

    However in one of the similar issue it has been commented that the TFS admin user need to have access to both the domain:

    http://social.msdn.microsoft.com/forums/en-US/tfsadmin/thread/b93bbbdc-99c5-490b-ab9e-b93f878348df/

    What I am trying to understand is why only TFS needs this additional access. For example, I have TFS installed on the less trust domain and trying to give permission to a user who is part of more trusted domain, I get error (indicating it can not find the user with listing user DN). If I add the same user to either local group on the TFS server (OS Level group) or even add the same user to share point server in the same server where TFS is, it works fine.


    Hence the question is why TFS need this extra level of access and if there is a work around (without being able to give access to TFS admin account on the less trusted domain).
    Tuesday, March 17, 2009 9:10 PM

Answers

  • Hi Sun,

    If I understand your problem correctly, I think the solution is to make it so that the TFSService account is trusted in the more secure domain. The Application-Tier can remain in the less trusted account, but the Service account must have access to accounts in the more trusted domain.

    Does this make sense?

    --Aaron
    Wednesday, May 6, 2009 6:33 PM
    Moderator

All replies

  • This is a 2 part problem. 

    The first part was explained in the second link you posted.  Here is ther relevant quote:

    "You are correct that when I said the service account, I was talking about TFSSERVICE.  The rights that TFSSERVICE needs are to query users in the domain.  In order to be able to add an user to TFS, the server needs to retrieve some information about the user, such as its SID, Display Name, and mail address, among other things. "

    So the TFSService account needs to be trusted in all domains that will provide user information to TFS. 

    The second part is that the person needing to enter users into TFS must also be trusted in both domains.  If they are not trusted then their local client GUI (Team Explorer) can't search or resolve users in the other domain.

    - Steve


    Development Process Consultant - Notion Solutions - http://sstjean.blogspot.com
    Tuesday, April 28, 2009 2:14 AM
  • Hi Sun,

    Do you still have this problem?
    --Aaron
    Wednesday, May 6, 2009 5:23 PM
    Moderator
  • Yes, I do. In fact it appears more of a design issue then a problem. Also the data in link 1 and link 2 in my post contradict to each other. Article 1 says one way trust is enough, however article 2 says TFS user need to have rights on both domain.
    Wednesday, May 6, 2009 5:29 PM
  • Hi Sun,

    If I understand your problem correctly, I think the solution is to make it so that the TFSService account is trusted in the more secure domain. The Application-Tier can remain in the less trusted account, but the Service account must have access to accounts in the more trusted domain.

    Does this make sense?

    --Aaron
    Wednesday, May 6, 2009 6:33 PM
    Moderator
  • Yes, I would agree that, that may be a feasible solution. I will check that some time (I would need to install a new instances) and would let you know if I get stuck in that one some how.

    Thank you Aaron and Steve for your help.
    Thursday, May 7, 2009 8:53 PM
  • Hi Sun,

    Since you haven't responded in some time I've closed this thread by marking what I belive is the answer. If you are still expereincing this problem and can provide additional information, then feel free to reactivate this thread by unmarking the question.

    --Aaron
    Thursday, May 21, 2009 9:48 PM
    Moderator