TFS Beta 3 Access from NT Domain
I cannot add users from a trusted NT domain to the TFS groups, and so cannot connect to TFS from a client machine logged in under an NT domain account (except by entering the TFS setup account id and password). Is this by design? If I missed this issue in the documentation or an earlier thread, please point me to it.
Here is our environment: TFS was setup in single-server mode on an AD machine. The account used to set it up is an AD account. The services account is also an AD account.
If we're not able to access TFS using the NT domain accounts when TFS is in an AD environment, what is the best configuration to use so we can evaluate TFS -- install TFS on an NT domain server? install it on a standalone server?
We would really like to use NT domain accounts for access, if possible, since we're just beginning our transition to AD.
Thanks,
Mike
Mike,
The installation guide describes how you add more users to the system so that they too can access Team Foundation Server. TFS has its own access control system which authorizes authenticated users to use various TFS resources based on the permissions granted to that user.
By default the account used to run setup is added to the Team Foundation Server administrators (along with local admins). After installation these are the only users who can access the system and connect to the server. The setup account should be used initially to add "real" admin users to the TFS Admin group. From there you;d create a team project and assign users to groups for that project. A project created using the MSF Agile process template creates three roles: the Project Admin, Contribuotr and Reader. Please consult the Admin documentation that ships with TFS.
Also there are a number of other threads in this forum that discuss the different user roles, groups and permissions, and setting group membership across Team Foundation, Sharepoint and Report Server.
Please let me know if you need further assistance or whether there are other underlying issues.
Thanks, Dan, for your response. I believe we are following precisely the instructions for adding users for access to TFS. Indeed, we can add users from the AD domain to which the TFS server belongs. What we cannot do is add users from the trusted NT domain. The network admins even created an AD group containing NT domain users. We've added that group to the TFS administrators group, but the NT domain users are not recognized as TFS users (we receive a login box when connecting to the TFS server, and entering an NT domain id and password simply causes the login box to pop back up).
If we try to add an NT domain user through Team Explorer we get the message "Couldn't add user/group '<nt domain id>'. It may be in an incorrect domain."
If we try to add an NT domain user with TFSSecurity we get the message "FATAL ERROR: identity cannot be resolved."
In either case the Event Log on the TFS server box shows an error from TFS Services with an ActiveDirectoryObjectNotFoundException at System.DirectoryServices.ActiveDirectory.GetDomain.
The account running the TFS services (TFSSERVICE1) is an AD account, but is not a domain or local administrator.
So, is running TFS in an AD domain but accessing it with accounts from a trusted NT domain a supported scenario and we have some kind of configuration issue, or do you expect that this environment will not work?
Thanks,
Mike
Here are the answers from the network people:
1. 2003 Native
2. The accounts I'm trying to add are in an NT4 domain. The accounts used to setup and run TFS (TFSSetup1, TFSService1, TFSReports1) are 2003 Native.
3. Two-way trust
4. Nothing special. I don't think the "Primary Group" issue comes in to play here.
Thanks,
Mike
