Can't add trusted domain users (tons of details)...
It would seem that TFS is not playing nicely with trusted domains, but judging by the other posts related to domain users in this forum maybe it's less specific than this. My setup is this:
* Separate DC which houses "DEV" domain
* DEV domain has one way trust with in house domain (let's call it MAIN)
* Added MAIN\Development to DEV\Domain Admins (so that our Development group can manage this server while testing)
* TFS single server install on separate virtual machine instance called "DEVTFS" and is part of the DEV domain
* I've verified the trust is working because I login and can administer/use the TFS machine with an account from the trusted domain
Now the problem is, even though LOCAL\Admins are part of the TFS Namespace Administrator group, MAIN\Development still can't access/administer TFS.
The bigger problem is that, even I'm logged on as TFSSETUP, when I attempt to add a single user myself from the MAIN domain using TFC I get the following complaint in the UI:
"Can't add user/group 'Doe, John'. It may be an incorrect domain"
I've also tried to add the user via the command line using (again, running under TFSSETUP account):
gssutil.exe /g+ adm: n:MAIN\JDoe
and I get:
FATAL ERROR: There was a problem on the server of unknown cause. See the TFS Server log file for details. Time: 2005-05-24T22:41:09:247
When I check the log I see:
System.Security.Authentication.AuthenticationException: Logon failure: unknown user name or bad password.
> System.DirectoryServices.DirectoryServicesCOMException (0x8007052E): Logon failure: unknown user name or bad password.
at System.DirectoryServices.PropertyValueCollection.PopulateList()
at System.DirectoryServices.PropertyValueCollection..ctor(DirectoryEntry entry, String propertyName)
at System.DirectoryServices.PropertyCollection.get_Item(String propertyName)
at System.DirectoryServices.ActiveDirectory.PropertyManager.GetPropertyValue(DirectoryContext context, DirectoryEntry directoryEntry, String propertyName)
End of inner exception stack trace
at System.DirectoryServices.ActiveDirectory.PropertyManager.GetPropertyValue(DirectoryContext context, DirectoryEntry directoryEntry, String propertyName)
at System.DirectoryServices.ActiveDirectory.Domain.GetDomain(DirectoryContext context)
at Microsoft.VisualStudio.Bis.Server.Security.IdentityStoreAccessor.ReadIdentityFromStore(String sid)
at Microsoft.VisualStudio.Bis.Server.Security.IdentityCacheAccessor.AddUpdateIdentityToCache(String sid, Boolean forceChildrenUpdate)
What do you think the problem could be? Could the TFSSERVICE running the web services not be allowed to perform the active directory calls it's trying to make against the trusted domain because it's a one way trust?
TIA,
Drew
