Hello,

Since today we can't connect anymore our TFS server. What happened is that our IT department removed by mistake this TFS server computer from our Active Directory domain. But after adding it again to the same domain, we still have an authentication issue.

The behavior is the following: whenever we start TFS Explorer on any client computer, we are now prompted to enter a user name and password. This was not happening before (authentication was happening automatically). Entering any valid TFS users doesn't work and the prompt appears again. If we press the cancel button on this dialog box, then the following error message dialog appears:

TFS31003: Your user account does not have permission to connect to the Team Foundation Server serverName. Contact your Team Foundation Server administrator and request that the appropriate permission be added to your account.

We also tried to check the security locally on the TFS server using the TFSSecurity cmd line tool but the same user and password prompt appears. Canceling this prompt produce another error message:

TF50309: You do not have sufficient permissions to perform this operation.

Our deployement scenario is (was) a single TFS server (application layer and data layer on the same server) in "active directory" mode

Any help will be appreciated,

Gaetano.

Well, we had our server removed from the domain by mistake (gotta love IT) but we didn't have any of those sorts of problems.

You may want to logon to the server as an Administrator or as the service account and check out your TFS security to make sure that the TFS Server is still up and running properly and that the accounts are still there. Also, check to make sure that the TFSService account is still a registered Administrator on the server. Finally, try to remove and add a user to one of the TFS security groups, it will try to look up the AD account at that point and you will be able to see if the TFS server is properly communicating with AD. I have seen it that a computer is part of the domain, but could not authenticatewith the AD server at all and you didn't know it until trying to add users who weren't already on the server.

Hope that helps

Hello,

I've finally fixed it by:

1- Running again the TFS Server setup and selecting the "Repair" option

2- During this re-setup, an error message appeared complained that TFS application pool was not accessible by the "TFS_SVC" account so I fixed it by changing the identity of that pool via the IIS mmc console and rerun again the setup in repair mode. Then it went till the end and I was able to access my projects via Team Explorer.

In fact during the initial setup, I've been surprised TFS asked for a 3rd account name that was not mentioned in the prerequisited list and that was appearing as the identity for some of the app pools.

3- Later, I've noticed that the "document" tree iteam and the project portals were not working. To fix it, I had to change all the related SQL Server databases owners from this "3rd account" to the "TFS_SVC" account (using sp_changedbowner stored proc)

After doing all these changes, all functionality of TFS were working again. The only drawback was that the projects "group membership" settings were reset and i had to redo them.

Gaetano.