Adding users to TFS from the extranet

Posted August 20, 2007
Filed under: TFS |

It came to our attention today that colleagues located in our offices in Chennai are unable to add people to the security groups in TFS. The problem is that the people working in India live on a different domain than the people in Belgium. TFS currently requires all its components to reside in the same domain. As you can see in the picture below TFS, the build servers and the proxies are all configured in the same domain. The proxy servers are, opposite to TFS and the build servers, physically located in Chennai. The obvious reason for this is that you want to have the proxy server on the remote side of the leased line if you want to keep traffic low.

082007-1945-addingusers1.png

So while the TFS infrastructure resides on the DOM001 domain, people in India are logged on to the DOM002 domain. We do have Domain Trust enabled between the two and they are able to connect to both TFS and Build Servers from the remote location. They do have to specify DOM001 domain user credentials each time they log on to the TFS Server but that’s just because they use different user names & passwords on the DOM002 domain. If these were the same, Windows would just pass user credentials without passing in the domain and they wouldn’t even have to do that. No problem so far.

So if everything works fine this way, why can’t they just add users to e.g. a Contributor security group in TFS?

The problem is that Team Explorer is trying to validate the users they specify against the domain in Chennai in which, of course, they do not exist. For one reason or the other they cannot specify that it has to validate against the DOM001 domain. We didn’t investigate any further because by the end of this year the Chennai domain will cease to exist and we will all be happy campers residing in DOM001. In the mean while we will fall back to plan B and have somebody in Belgium add the users for the teams in India.

Too bad we can’t outsource this ;)….

 Update

Check out the comment from Stefan Venken, turns out we can outsource this afterall 🙂

Using the TFSSecurity.exe tool found in the tools directory of the Team Foundation Server installation one can add users from the command line. Stefan found out about this over here

1 comment so far

  1. stefan on August 21, 2007

    Thanks for the explanation Peter.

    I’ll try the following tomorrow to make sure we have a fallback scenario untill december…

    Question: How do I add a user to a TFS Group from the command line?

    Answer: Use the tfssecurity.exe command line tool

    Eg:
    add a domain user to the Project Administrators Group:
    tfssecurity /server:servername /g+ “[Project Name]\Project Administrators” n:Domain\username

    add a domain user to the Server level “Team Foundation Administrators” Group:
    tfssecurity /server:servername /g+ “[server]\Team Foundation Administrators” n:Domain\username

    remove a domain user from the Server level “Team Foundation Administrators” Group:
    tfssecurity /server:servername /g- “[server]\Team Foundation Administrators” n:Domain\username

    as found on
    http://dotnet.org.za/ahmeds/archive/2007/08/08/tfs-q-amp-a-changing-service-accounts-and-adding-users-from-the-command-line.aspx

    Cause if it truly is the team explorer this should work, I hope…

    Reply

Leave a comment