Geeks With Blogs
Jamie Kurtz Promoting architectural simplicty

A while back I replied to a Rob Caron post regarding the connection of a TFS Proxy to a TFS Server in a different domain. Here's the link: http://blogs.msdn.com/robcaron/archive/2006/02/22/537485.aspx.

So, I am finally getting around to posting the actual Visio diagram for this particular configuration. I can verify that this configuration still works with SP1 of TFS.

A few notes:

  1. This solution uses local machine accounts, taking advantage of pass-through authentication. While using non-domain accounts is not ideal, I can't find any other option
  2. My diagram points out that the tfs_proxy account must be a local administrator on the TFS Proxy box. But I have not actually tested this requirement.
  3. In our environment, I found that making the tfs_proxy account a Team Foundation Server Administrator was needed in order to avoid managing permissions across all the projects. This might be considered a security hole, as a user with the user name and password of the local tfs_proxy account would have full admin privileges on the TFS server.
  4. All users who are using TFS in the "other" domain (i.e. the domain that is not containing the TFS Server) need to have a domain account in the domain that is hosting the TFS Server. When launching the Team Explorer or any of the TFS command-line tools, they will be prompted to enter this domain account's credentials.

Good luck, and make sure you let me know if this can be improved.

 

(Since I don't know how to insert a picture on this blog site with Live Writer, I'm burying the image files on my wife's photography site:) )

Posted on Friday, January 19, 2007 7:24 PM | Back to top


Comments on this post: Configuring TFS Proxy to access TFS Server in another domain.

# VSTS Links - 01/23/2007
Requesting Gravatar...
Clara Oscura on TF26204: The account you entered is not recognized.

Brian Harry on A VS SP1 Bug Fix...
Left by Team System News on Jan 23, 2007 6:51 AM

# re: Configuring TFS Proxy to access TFS Server in another domain.
Requesting Gravatar...
Any chance this will work for Build servers?
We have the TSF server in production and would like to have the build servers in the Dev or QA network areas. Since we use different AD instances in these, we haven't been able to have separate Build Servers. Will your solution work for this scenario?
Left by Ken Brubaker on Jan 25, 2007 8:04 AM

# re: Configuring TFS Proxy to access TFS Server in another domain.
Requesting Gravatar...
Ken - I have not tried your scenario. But my guess is that it would work fine. My proposed solution for the TFS Proxy relies on Windows pass-through authentication - which is certainly not unique to the TFS Proxy server.

If I were to try it, I would add a tfslocal _build account on the TFS Server - similar to the tfs_proxy account mentioned in my diagram. Then add the same username/password on the build derver, and run the Build service with this account.

If you try it, let me know what happens!
Left by Jamie Kurtz on Jan 25, 2007 8:11 AM

# re: Configuring TFS Proxy to access TFS Server in another domain.
Requesting Gravatar...
Sorry, I meant to to say: "... I would add a local tfs_build account on the TFS Server...".
Left by Jamie Kurtz on Jan 25, 2007 7:03 PM

# re: Configuring TFS Proxy to access TFS Server in another domain.
Requesting Gravatar...
I recently had to configure something similar and I made a small post about it. By the way your diagram is not working anymore :(

Here's my post: http://sorin.serbans.net/blog/?p=374
Left by Sorin on May 10, 2013 8:19 AM

Your comment:
 (will show your gravatar)


Copyright © Jamie Kurtz | Powered by: GeeksWithBlogs.net