Troubleshooting Team Foundation Server Permissions and Security

Team Foundation Server security activities include the following:

• Assigning appropriate permissions to Team Foundation Server users, groups, and Web services

• Integrating with Windows authentication features

• Helping to secure network ports and traffic between each Team Foundation client and Team Foundation server

Some of the more common security problems and their solutions are listed in this topic.

If you cannot resolve a problem after reviewing these tips, visit the Microsoft Technical Forums for Visual Studio Team System (https://go.microsoft.com/fwlink/?LinkId=54490). These forums provide searchable threads on a variety of troubleshooting topics and are monitored. Therefore, you can receive a quick response to your question.

• Users Cannot Access Team Project Portal

• Users Cannot Access Reports

• Cannot Add a User or Group

• Added User or Group Does Not Appear in Team Foundation Server

• Added User or Group Cannot Access Team Foundation Server

• Changed Permissions for a User or Group Do Not Appear to be Working in Team Foundation Server

• Changed Membership for a Team Foundation Server Group Does Not Take Effect Immediately

• The Team Foundation Application-Tier Server and the Team Foundation Data-Tier Server Cannot Communicate

• Team Foundation Clients Cannot Connect to Team Foundation Server

• Team Foundation Server Proxy Clients Are Out of Syncronization With Team Foundation Server

• Custom Team Foundation Server Groups Do Not Function As Expected

• Changed Permissions for a User or Group Do Not Appear to be Working in Team Foundation Server

• The Team Foundation Server Service Account Does not Have Permission to Read Source Control Files

Users Cannot Access Team Project Portal

Symptom:   You receive an error when you try to access the team project portal.

Possible Causes:

• You might have manually typed the project portal URL and made a mistake. In Team Explorer, right-click the project, and then click Show Project Portal.

• Internet Information Services might be stopped on the Team Foundation application-tier server. To verify that Internet Information Services is running, on the Team Foundation application-tier server, click Start, click Administrative Tools, click Internet Information Services, and then check to see whether the server is stopped. For more information, see "Internet Information Services Technology Center" (https://go.microsoft.com/fwlink/?LinkId=60978).

• The application pool for Windows SharePoint Services might be stopped in Internet Information Services. In Internet Information Services, verify that the application pool is running.

• You might not have appropriate permissions in Windows SharePoint Services. When you add users or groups to Team Foundation Server, you must also add users and groups to Windows SharePoint Services and SQL Reporting Services. For more information, see Managing Permissions.

Users Cannot Access Reports

Symptom:   You receive an error when you try to open or access reports in Team Explorer.

Possible Causes:

• You might not have appropriate permissions in SQL Reporting Services. When you add users or groups to Team Foundation Server, you must also add users and groups to Windows SharePoint Services and SQL Reporting Services. For more information, see Managing Permissions and Troubleshooting Team Foundation Reporting.

• Internet Information Services might be stopped on the Team Foundation application-tier server. To verify that Internet Information Services is running, on the Team Foundation application-tier server, click Start, click Administrative Tools, click Internet Information Services, and then check to see whether the server is stopped. For more information, see "Internet Information Services Technology Center" (https://go.microsoft.com/fwlink/?LinkId=60978).

• The application pool for Reporting Services might be stopped in Internet Information Services. In Internet Information Services, verify that the Reporting Services application pool is running.

Cannot Add a User or Group to Team Foundation Server

Symptom:   A domain user or group does not appear in the Windows User or Group dialog box.

Possible Causes:

• The user or group belongs to a domain that is not trusted by the domain where you have deployed Team Foundation Server. You can configure a trust between the two domains, or you can use the TFSSecurity command-line tool to add users or groups from untrusted domains. For more information, see Trusts and Forests Considerations for Team Foundation Server and TFSSecurity Command-Line Utility Commands.

Added User or Group Does Not Appear in Team Foundation Server

Symptom:   A recently added user or group does not appear in the server or project to which you just added that user or group.

Possible Causes:

• You must set at least one permission to Allow or Deny in order to successfully add a user or group to Team Foundation Server. If you add a user or group but do not set at least one permission to Allow or Deny (that is, you leave all permissions unset), that user or group is not added to Team Foundation Server, and you do not see an error message or warning. For more information, see Managing Users and Groups and Team Foundation Server Permissions.

Added User or Group Cannot Access Team Foundation Server

Symptom:   A recently added user or group cannot access Team Foundation Server work items, source code, project portals, or reports.

Possible Causes:

• In environments where there is more than one Team Foundation Server, the user might be trying to access a Team Foundation Server where that user does not have permissions on any project. Make sure that the user is accessing the correct Team Foundation Server for the project.

• The user or group might belong to a different domain or workgroup that does not have the necessary trust relationship to access Team Foundation Server. For more information, see Managing Team Foundation Server in an Active Directory Domain and Managing Team Foundation Server in a Workgroup.

• You added a user or group who has only the Administer Shelvesets permission set to Allow or Deny. There is a known issue with this permission in that if you add a user or group that has only this permission set to Allow, the user or group is not added correctly to the Team Foundation Valid Users group, and therefore cannot access Team Foundation Server. Check to see whether the user or group appears in the list of Team Foundation Valid Users, and make sure that when you add a user or group, that you set other permissions to Allow or Deny for that user or group in addition to the Administer Shelvesets permission. For more information, see Managing Users and Groups, How to: View Existing Users, and Team Foundation Server Permissions.

• The user or group might not have appropriate permissions in Windows SharePoint Services and SQL Reporting Services. When you add a user or group to Team Foundation Server, you must also add that user or group to Windows SharePoint Services and SQL Reporting Services. For more information, see Managing Permissions.

Changed Permissions for a User or Group Are Not Working in Team Foundation Server

Symptom:   An existing user or group needs its permissions changed. Immediately after you change the permissions for that user or group, the user or group does not notice any change in functionality.

Possible Causes:

• Changes to permissions can take a minute or two to synchronize across Team Foundation Server, especially if there is significant network latency between the Team Foundation data-tier server and the Team Foundation application-tier server. Ask the user or group to wait several minutes, and then try the action again. For more information, see Team Foundation Server Permissions and Team Foundation Server Security Architecture.

Changed Membership for a Team Foundation Server Group Does Not Take Effect Immediately

Symptom:   An administrator adds or removes a user from a Team Foundation Server group, but immediately afterward, the user's membership status appears unchanged.

Possible Causes:

• Changes to group membership can take a minute or two to synchronize across Team Foundation Server, especially if there is significant network latency between the Team Foundation data-tier server and the Team Foundation application-tier server or between Team Foundation Server and the domain controllers where the security group resides when Active Directory security groups are being used.

  • Wait several minutes, and try the action again.

  • In Active Directory deployments, you can use the gpupdate /force command-line tool to force updates to Active Directory security groups.

  • If you use Active Directory security groups and regularly make membership changes to these groups, you can configure Team Foundation Server to synchronize more frequently with Active Directory. By default, Active Directory synchronization occurs hourly. You can increase this frequency by changing the web.config file and adding an appSettings key in the IdenityUpdatePeriod section. Set the value for appSettings to the frequency you want. The default is one hour, 1:0:0.

  • For more information, see "gpupdate" (https://go.microsoft.com/fwlink/?LinkId=60538), How to: Change Configuration Settings for Team Foundation Server Components, Team Foundation Server Permissions, and Team Foundation Server Security Architecture.

The Team Foundation Application-Tier Server and the Team Foundation Data-Tier Server Cannot Communicate

Symptom: When running Team Foundation Server in a dual-server deployment, you cannot create a project or perform work. You are presented with error messages when you try most server operations.

Possible Causes:

• A firewall or network router between the Team Foundation data-tier and the Team Foundation application tier is blocking network traffic between the two servers. Make sure that all necessary ports are configured to enable network traffic. For more information, see Team Foundation Server Security Architecture.

• The network connection between the Team Foundation application-tier server and the Team Foundation data-tier server is too slow. There might be too much network traffic for your routers to handle efficiently, or one or more network cards on your Team Foundation servers might not be configured correctly. The configuration of network switches and your computers' network cards can affect the network speed. Confirm that these settings are correct. For more information about how to use an autodetect setting for the network cards, see the Microsoft Web site https://support.microsoft.com/kb/174812/. For more information about network card settings, see the manufacturer's documentation.

• The Team Foundation data-tier server and the Team Foundation application-tier server are in different Active Directory domains or forests without sufficient trusts. You must configure trusts appropriate to your Team Foundation Server deployment. For more information, see Trusts and Forests Considerations for Team Foundation Server.

• Either the Team Foundation application-tier server, the Team Foundation data-tier server, or both servers are in a workgroup instead of a domain. These configurations are not supported. Only single-server deployments are supported in a workgroup environment.

Team Foundation Clients Cannot Connect to Team Foundation Server

Symptom: Users who have Team Foundation clients like Team Explorer cannot connect to Team Foundation Server.

Possible Causes:

• One or more Team Foundation Server services have been stopped, or the server where Team Foundation Server is installed is offline. Check to make sure that the server is connected to the network and that all necessary Team Foundation Server services are running. For more information, see Team Foundation Server Security Concepts and Team Foundation Server Security Architecture.

• A firewall or network router between the Team Foundation client and Team Foundation Server is blocking network traffic between Team Foundation Server and the client. Make sure that all necessary ports are configured to enable network traffic. For more information, see Team Foundation Server Security Architecture.

• Team Foundation Server is in an Active Directory domain or forest that does not trust the domain of the Team Foundation client. You must configure trusts appropriate to your Team Foundation Server deployment. For more information, see Trusts and Forests Considerations for Team Foundation Server and Unsupported Domain Configurations.

• The Team Foundation client is in a workgroup instead of a domain, but Team Foundation Server is deployed in a domain. Local user accounts must be created on the Team Foundation client computers. If you do not want to require users to type a user name and password every time that a Team Foundation client must connect to Team Foundation Server, make sure that the local user accounts use the same user name and password as the domain user names. For more information, see Managing Team Foundation Server in a Workgroup.

• Team Foundation Server is deployed in a workgroup, but the Team Foundation client is in a domain. Local user accounts must be created on the Team Foundation server for all users who require access to the server. For more information, see Managing Team Foundation Server in a Workgroup.

• Local user accounts have not been created for all computers in a workgroup-only Team Foundation Server deployment. Local user accounts must be created on the Team Foundation server for all users who require access to the server. Local user accounts must be added to Team Foundation Server server-level and project-level groups so that the users are authorized on the Team Foundation server. For more information, see Managing Team Foundation Server in a Workgroup.

• The version of Team Explorer on one or more client computers does not match the version of Team Foundation Server. Make sure that all your Team Foundation clients are using the same release version as your Team Foundation Server deployment.

Team Foundation Server Proxy Clients Are Out of Sync with Team Foundation Server

Team Foundation Server Proxy has its own troubleshooting guide. For more information, see Troubleshooting Team Foundation Server Proxy.

Custom Team Foundation Server Groups Do Not Function as Expected

Symptom:   A Team Foundation administrator or project administrator has created custom groups for a particular Team Foundation Server project, but members of these groups cannot perform expected tasks.

Possible Causes:

• Changes to group membership can take a minute or two to synchronize across Team Foundation Server, especially if there is significant network latency between the Team Foundation data-tier server and the Team Foundation application-tier server or when Active Directory security groups are being used, between Team Foundation Server and the domain controllers where the security group resides.

• The custom groups do not have all the permissions that are required for the tasks the users must perform. Creating custom groups and correctly assigning permissions is a complex task. For information about what permissions are appropriate for each role, see Team Foundation Server Default Groups, Permissions, and Roles. For information about Team Foundation Server permission definitions, see Team Foundation Server Permissions.

Changed Permissions for a User or Group Are Not Working in Team Foundation Server

Symptom:   An existing user or group needs its permissions changed. Immediately after you change the permissions for that user or group, the user or group still cannot do the action that required the new permissions.

Possible Causes:

• Changes to permissions can take a minute or two to synchronize across Team Foundation Server, especially if there is significant network latency between the Team Foundation data-tier server and the Team Foundation application-tier server. Ask the user or group to wait several minutes, and then try the action again. For more information, see Team Foundation Server Permissions and Team Foundation Server Security Architecture.

Team Foundation Server Service Account Does Not Have Permission to Read Source Control Files

Symptom:   A message appears in the event log on the application-tier server similar to "TF53010: An unexpected condition has occurred in a Team Foundation component. The information that is contained here should be made available to your site administrative staff." The detailed message resembles "Microsoft.TeamFoundation.VersionControl.Adapter: Unable to read changeset. The service account might not have permissions to retrieve this changeset."

Possible Causes:

• If you remove the Read permission for the Service Accounts security group on a file or folder that is under source control, the VersionControl.Adapter might not be able to read the file or folder. If the adapter cannot read the source control information into the data warehouse, the adapter will write an error message to the event log and not update the information in the data warehouse. Without the source control information from the file or folder, the subsequent source control reports might not be accurate. For more information, see Configuring Source Control Settings.

• If you explicitly set permissions for a team project or remove permissions for a default security group, you might affect the ability of an individual user or group to gain access to the team project resources. For example, setting or changing security permissions for the Service Account can override the default settings necessary for the account to access team project files or Team Foundation services. For more information about permission settings and inheritance, see Team Foundation Server Permissions and Team Foundation Server Default Groups, Permissions, and Roles.

See Also

Concepts

Managing Team Foundation Server in a Workgroup

Other Resources

Managing Users and Groups
Managing Permissions
Managing Team Foundation Server Services and Service Accounts
Managing Team Foundation Server in an Active Directory Domain
Securing Team Foundation Server