TFS AD Group Not Authenticating - tfs

I have a new TFS 2013 install (Basic Mode).
I added an AD Group (MyDomain\TFSAdmins) to the [DefaultCollection]\Project Collection Administrators TFS group. But users in this group can't authenticate to the TFS web portal (http://myTFSserver:8080/tfs). Only the Administration Console User can authenticate... What am I doing wrong?
Am I missing something at the Application Tier level?

What you did are entirely correct.You didn't missing anything at the Application Tier level.
You could try to do some trobuleshooting as below:
1.Clean IE cache,clean TFS cilent machine chache.
2.Try to use these uers to collect TFS by VS, see if you can successfully connect it.
3.Add a AD user instead of a AD group

you can just use the "iisreset" to solve the problem. I was try to find a lot of anwsers for this problem and after thought a little more I remembered that TFS uses IIS to publish the Site. So I just use the iisreset and the users appear in the group inside TFS.

Related

TFS Administration Console Adding and Removing Users

I am working with team foundation server and I added a user in the server from Administration Console and the user has access to the server. But the problem is even when I remove that user from Administration Console user still able to login to the server. Can anyone help me here? Thank you in advance.
To remove users completely from TFS server. You should remove the user from all the security groups.
UsE the command below to get this account has been added to which groups. Then check all those groups and try to remove that account from those groups.
TFS security imx:
tfssecurity /imx [domain\account] /server:[server url]
Besides, changes you make to local or Active Directory groups do not get reflected in TFS immediately. Instead, TFS will synchronize those groups regularly.
A periodic clean-up job that is executed removes people from the global groups. If you just wait, they will disappear in a couple of days. They will not have access to any of the TFS assets however.
You could look in http://tfs.mydomain.com:8080/tfs/_oi to see the sync job.
If you cannot wait for the scheduled job, you can try to do the force sync: http://msmvps.com/blogs/vstsblog/archive/2011/02/17/force-tfs-to-sync-with-active-directory.aspx

Change credentials per server?

I've installed opshub on my pc that is on domain ABC. I have succesfully migrated projects from a TFS server on domain ABC to visual studio online. Now I've added a TFS server that is in domain DEF and it doesn't ask me for credentials for that server. I just get a blank collection list, I think its trying to use my current credentials from domain ABC. How can I get it to ask me for the credentials to domain DEF when trying to access that server?
User level authentication details are stored inside Team Foundation cache directory under following locations. If you have already authenticated for the TFS server then details for that server is stored inside cache directory. This won't ask you credentials again while you are doing next migration.
If you want to authenticate with the new credentials for different domain you need to clear data from the following directories.
C:\Users{User}\AppData\Local\Microsoft\Team Foundation\4.0\Cache
C:\Users{User}\AppData\Local\Microsoft\Team Foundation\5.0\Cache
Make sure original folders remains there (Cache). Just remove contents of those directories. Also make sure you close all the applications which uses TFS cache like visual studio, opshub migration utility.
See http://blogs.msdn.com/b/visualstudioalm/archive/2012/08/29/clearing-the-credentials-for-connecting-to-a-team-foundation-server.aspx for correct answer. It worked for me.

TFS Integration Platform Migration Issue access denied

Here is the scenario:
I have 2 TFS servers, TFS-A is in local and TFS-B is abroad.
Check into TFS-B is very slowly, so my idea is to check into TFS-A first,
and check all changes into TFS-B from TFS-A in once time at night.
But the TFS-A and TFS-B have different user accounts, when I synchronize them, error happens.
The error told me access denied.
So if it is possible to sync two TFS with different accounts.
How to do it?
Thanks in advance.
You need to supply a user mapping in your TFS integration platform configuration. A similar post shows how to do this in detail: TFS Integration Platform: How to map users with the SVN adapter?
Hope that helps you further.

Can I use teamfoundation server from another domain?

I have a prod domain and a test domain, unfortunately in the only part I can install TFS ins a virtual machine in the test domain.
The question is, as developers, can we still access the tfs for source control? As far as I know it will use the windows credentials when connecting and those credentials wont exist in the test environment.
What can you suggest?
Yes, Team Explorer clients will try to authenticate with the default Windows credentials to the TFS server. If you're on different domains (and there's no trust relationship between them) then this authentication will fail and you'll be prompted to enter your username/password for the TFS server.
If you don't wish to be prompted each time, you can set up credentials for the server in the Windows Credential Manager in your Control Panel.

Adding Active Directory users to Team Foundation Server

How can I add AD users to TFS users from a computer that can't connect to AD/domain? Structure is like this:
TFS Server, in AD/domain
My computer, wtih VS.NET, can't join to AD/domain
Only way to ad AD users to TFS users list I could find is in VS.NET->Team->Team Foundation Server Settings->Security->Add users or groups->Windows user or group. Since my computer can't join to AD I can't see the AD in Locations list. Is there a way to do this without installing VS.NET to the server?
You can do this at the command line (Visual Studio Command line is easiest):
tfssecurity /g+ <tfsgroupidentifier> <user or group identifier> /collection:http://server:8080/tfs/collectionname
example:
tfssecurity /g+ "Scrum Project\Readers" "Contoso\CEO" /collection:http://contoso:8080/tfs/Default
WORKAROUND:
Here is a solution for adding users to TFS 2010 when your development machine doesn't have access to the remote domain.
Create the user on the server if you haven't already done so and Add the user to the ProjectTeam group.
Then on your local machine that isn't tied to the domain, simply create a user with the same username.
Right-Click on your project in Team Explorer and choose "Team Project Settings" --> "Group Membership..."
Click on the group you want to add the user to, and press the "Properties" button.
Select "Windows User or Group" and click "Add"...then just type in the username (you shouldn't need to specify the domain) - even if it initially identifies your current computer/domain...it should automatically change it to the remote domain.
Then you can delete that username from your local computer.
I spent about 4 hours trying to add a user for a remote domain before getting this to work.
Microsoft really should have thought about this scenario for remote developers, TFS running on remotely hosted servers and so on.
I hope that helps.
If you do decide you are ok with doing this from the TFS server, you don't need to install the whole Visual Studio 2008 client. Instead, just install the team explorer client. It will install the Visual Studio shell, along with the TFS tools, but no development language pieces.
I have this very same problem. The only way I have found to solve this is to have a computer that I can RDP to within the domain and add the user from there.
Its not pretty, but it works....
p.s. As long as you have permission on the domain, you could write a tool to do this.

Resources