How to make TFS with a User domain over a 1-way external trust with Selective Authentication

  • Article

I had been working on making TFS work with users from an external forest over a 1-way outgoing trust configured with Selective Authentication & wanted to share the same across.

Goal:

Provide access to users from a UserDomain to a TFS Server in the TFSDomain & perform day-to-day tasks including Team Project Creation.

Detailed Scenario:

Domain1 (aka “TFSDomain”)

Domain Functional Level: Windows Server 2003 [Required for Selective Authentication]

Forest Functional Level: Windows Server 2003 [Required for Selective Authentication]

TFS Single Server (Windows Server 2008 + SQL 2008 + TFS 2008 SP1) as member server of the TFSDomain

Domain2 (aka ”UserDomain”)

Domain Functional Level: Windows Server 2003 [Required for Selective Authentication]

Forest Functional Level: Windows Server 2003 [Required for Selective Authentication]

TFSDomain has a one-way external outgoing trust with a User Domain. The authentication type for the trust is “Selective Authentication”(Instructions for configuring Selective Authentication are available here). Selective authentication gives us the capability to allow specific users\groups from the UserDomain to logon/access/authenticate with specific servers/machines in the TFSDomain.

To enable this setup, following implementations needS to be in place:

1. All users in UserDomain who need to access TFS will need to be granted the “Allow to Authenticate” right on the computer account of the TFS Server in the TFS Domain. You can do this by requesting your domain admin to perform the steps mentioned in https://technet.microsoft.com/en-us/library/cc738653(WS.10).aspx.

2. TFS Service account must be a user account from the user domain. Follow instructions in  https://msdn.microsoft.com/en-us/library/bb552178.aspx  for updating/changing the service account.
***The service account will need to come from the user domain for GSS sync to work because of the 1-way trust in place***

3. Optional: If you want users form TFS domain to access the TFS server as well, you would need to grant the “Allow to Authenticate” right to the TFS Service account(a user account form the user domain) to the computer account for the domain controller of the TFS domain as well.

A high level diagram of how this implementation would look like: