Wednesday, September 11, 2013

TFS 2012 authenticates trusted domain users, but not groups

I am configuring my first Team Foundation Server (TFS) 2012 in a domain we can call TFSdomain, that has a one-way trust to another domain where most users will access TFS from, let's call it the UserDomain. I tried to add UserDomain\Domain Admins to the Team Foundation Administrators group to let one of the group's users, UserDomain\Administrator have access to the TFS Web Administration. It did not allow access.

The UserDomain\Domain Admins is also a member of the local BUILTIN\Administrators which is a member of the Team Foundation Administrators group. This gives access to TFSdomain\Administrator, but not to UserDomain\Administrator.

I then added UserDomain\Administrator directly to the Team Foundation Administrators and tried again. Now I was allowed access as expected.

I then noticed the icon of the UserDomain\Administrator entry in the Team Foundation Administrators group. It shows the icon for a single user - not for a group. It is also not possible to see group members from the TFS Administration Console.

Have I discovered a bug in TFS 2012, or is there some other reason for this behavior?

1 comment:

Randy in Marin said...

I think this a case where this is a feature of a 1-way trust and not a bug in TFS. Authentication is not by groups. TFS queries AD for group membership. It does this when changing TFS security. It also does this at intervals to keep in sync with AD. Because of the 1-way trust, it can't query AD of other domain.

You will need to use the TFS domain to host the groups. The users can be in either domain.