Adding Active Directory users to Team Foundation Server - tfs

How can I add AD users to TFS users from a computer that can't connect to AD/domain? Structure is like this:
TFS Server, in AD/domain
My computer, wtih VS.NET, can't join to AD/domain
Only way to ad AD users to TFS users list I could find is in VS.NET->Team->Team Foundation Server Settings->Security->Add users or groups->Windows user or group. Since my computer can't join to AD I can't see the AD in Locations list. Is there a way to do this without installing VS.NET to the server?

You can do this at the command line (Visual Studio Command line is easiest):
tfssecurity /g+ <tfsgroupidentifier> <user or group identifier> /collection:http://server:8080/tfs/collectionname
example:
tfssecurity /g+ "Scrum Project\Readers" "Contoso\CEO" /collection:http://contoso:8080/tfs/Default

WORKAROUND:
Here is a solution for adding users to TFS 2010 when your development machine doesn't have access to the remote domain.
Create the user on the server if you haven't already done so and Add the user to the ProjectTeam group.
Then on your local machine that isn't tied to the domain, simply create a user with the same username.
Right-Click on your project in Team Explorer and choose "Team Project Settings" --> "Group Membership..."
Click on the group you want to add the user to, and press the "Properties" button.
Select "Windows User or Group" and click "Add"...then just type in the username (you shouldn't need to specify the domain) - even if it initially identifies your current computer/domain...it should automatically change it to the remote domain.
Then you can delete that username from your local computer.
I spent about 4 hours trying to add a user for a remote domain before getting this to work.
Microsoft really should have thought about this scenario for remote developers, TFS running on remotely hosted servers and so on.
I hope that helps.

If you do decide you are ok with doing this from the TFS server, you don't need to install the whole Visual Studio 2008 client. Instead, just install the team explorer client. It will install the Visual Studio shell, along with the TFS tools, but no development language pieces.

I have this very same problem. The only way I have found to solve this is to have a computer that I can RDP to within the domain and add the user from there.
Its not pretty, but it works....
p.s. As long as you have permission on the domain, you could write a tool to do this.

Related

TFS AD Group Not Authenticating

I have a new TFS 2013 install (Basic Mode).
I added an AD Group (MyDomain\TFSAdmins) to the [DefaultCollection]\Project Collection Administrators TFS group. But users in this group can't authenticate to the TFS web portal (http://myTFSserver:8080/tfs). Only the Administration Console User can authenticate... What am I doing wrong?
Am I missing something at the Application Tier level?
What you did are entirely correct.You didn't missing anything at the Application Tier level.
You could try to do some trobuleshooting as below:
1.Clean IE cache,clean TFS cilent machine chache.
2.Try to use these uers to collect TFS by VS, see if you can successfully connect it.
3.Add a AD user instead of a AD group
you can just use the "iisreset" to solve the problem. I was try to find a lot of anwsers for this problem and after thought a little more I remembered that TFS uses IIS to publish the Site. So I just use the iisreset and the users appear in the group inside TFS.

Can TFS work with a local user account?

I'm trying to use the Jenkins TFS Plugin and have trouble authenticating. I saw that user on the TFS administration, and gave it permissions on my project.
I've created a local user account (via Local Users and Groups) - TfsServer\TfsUserAdmin, and I'm trying to use it to authenticate against the TFS server.
I able able to use the name and password of the user. For example this works (though it prints an empty list):
tf workspaces -format:brief -server:http://TfsServer:8080/tfs/Redacted_Collection -login:TfsServer\TfsUserAdmin,RedactedPassword
If I change the password on the above command I get an error, so authentication does work.
The next command is:
tf workspace -new "RedactedWorkspaceName;" -noprompt -server:http://TfsServer:8080/tfs/Redacted_Collection -login:TfsServer\TfsUserAdmin,RedactedPassword
This fails with the error:
TF14045: The identity TfsServer\TfsUserAdmin is not a recognized identity.
I don't think I can change these commands, they are created by the plugin.
I've found people with similar errors, but none of them had the user name at the error - only a GUID or the server name.
Can I work with TFS and a local user?
You will likely need to use Shadow Accounts to get your Jenkins server to talk to TFS...
Create a local user on both your TFS server and your Jenkins server with the same Username & Passowrd. Then use that account to authenticate.
This is the only way to get cross domain coms working without trust and is a feature of Windows & AD. If your org has disabled it you will need to look at creating a trust relationship between your domains.

Change credentials per server?

I've installed opshub on my pc that is on domain ABC. I have succesfully migrated projects from a TFS server on domain ABC to visual studio online. Now I've added a TFS server that is in domain DEF and it doesn't ask me for credentials for that server. I just get a blank collection list, I think its trying to use my current credentials from domain ABC. How can I get it to ask me for the credentials to domain DEF when trying to access that server?
User level authentication details are stored inside Team Foundation cache directory under following locations. If you have already authenticated for the TFS server then details for that server is stored inside cache directory. This won't ask you credentials again while you are doing next migration.
If you want to authenticate with the new credentials for different domain you need to clear data from the following directories.
C:\Users{User}\AppData\Local\Microsoft\Team Foundation\4.0\Cache
C:\Users{User}\AppData\Local\Microsoft\Team Foundation\5.0\Cache
Make sure original folders remains there (Cache). Just remove contents of those directories. Also make sure you close all the applications which uses TFS cache like visual studio, opshub migration utility.
See http://blogs.msdn.com/b/visualstudioalm/archive/2012/08/29/clearing-the-credentials-for-connecting-to-a-team-foundation-server.aspx for correct answer. It worked for me.

Can I use teamfoundation server from another domain?

I have a prod domain and a test domain, unfortunately in the only part I can install TFS ins a virtual machine in the test domain.
The question is, as developers, can we still access the tfs for source control? As far as I know it will use the windows credentials when connecting and those credentials wont exist in the test environment.
What can you suggest?
Yes, Team Explorer clients will try to authenticate with the default Windows credentials to the TFS server. If you're on different domains (and there's no trust relationship between them) then this authentication will fail and you'll be prompted to enter your username/password for the TFS server.
If you don't wish to be prompted each time, you can set up credentials for the server in the Windows Credential Manager in your Control Panel.

TFS setup advice

I am currently in the middle of a TFS 2010 multi-server installation and have the following questions:
should i go with the default installation of having tfs sit on http://server:8080/tfs as i would probably prefer http://server/ or http://server:8080
I can't seem to find the best practice for which user i should use to remotely connect to the reporting services - should this be a domain user, or a local machine account on the database server?
If i install sharepoint and i want the database stored on another server, am i ok to install sharepoint as a single server or do i need to install "application only" and create a "farm"
that is all :)
•should i go with the default
installation of having tfs sit on
http://server:8080/tfs as i would
probably prefer http://server/ or
http://server:8080
We have our hosted externaly so we go with a FQDN, but if not you should use the default as Visual Studio also uses this default. By all means setup a FQDN or other URL on port 80 to give people the choice, and to make the web access more accessable.
•I can't seem to find the best
practice for which user i should use
to remotely connect to the reporting
services - should this be a domain
user, or a local machine account on
the database server?
Network Service is fine and TFS will set everything up during the install. You can create a "domain\TfsReports" if it makes you feel better and I would recommend this if you are going to setup Kerberos or are runnign in a security consious enviroment.
•If i install sharepoint and i want
the database stored on another server,
am i ok to install sharepoint as a
single server or do i need to install
"application only" and create a "farm"
You can put the Sharepoint databases anywher you like during the insatll. if you are doing what you sugest, remember not to lose them. A better option would be to integrate with your existing Sharepoint 2007/2010 corporate deployment.
Integrate SharePoint 2010 with Team Foundation Server 2010

Resources