March 18th, 2008

Account used to install TFS must have read permission to Active Directory

Buck Hodges
Director of Engineering

We’ve seen a couple of customers run into a rare problem where the account being used to set up a new Team Foundation server does not have read access to Active Directory (this does not apply to the workgroup edition of TFS).  Vasu Sankaran, developer on the TFS identity management system, explains the error below.

When Team Foundation Server (TFS) is deployed in an Active Directory (AD) environment, TFS makes use of the Windows Identities stored in Active Directory. For such AD identities associated with TFS, the server needs to retrieve information from AD, such as the account SID, its display name, mail address, and similar attributes. The identities about which TFS queries AD are either service accounts, or other users and groups added to TFS (manually or during installation). This synchronization of information with AD requires read privileges only. TFS does not create or modify AD objects. The following links provide useful information regarding TFS deployment in AD environment.

During an upgrade scenario, the setup account used to perform the upgrade requires the same AD read permission, since it tries to sync information from AD about TFS service accounts. Lack of this privilege could lead to a setup error such as the following:

Detailed Message: TF213002:The service account specified during setup could not be added to the Team Foundation Service Accounts group. The installation or repair failed with the following exception message: System.NullReferenceException: Object reference not set to an instance of an object.
at Microsoft.TeamFoundation.Server.GroupComponent.AddIdentityToGroup(String groupSID, Identity member, DateTime sourceTimestamp)
at Microsoft.TeamFoundation.Server.TeamFoundationGssInit.Install(Options opts, List`1 args)

Admittedly, this is poor error reporting. But essentially the AD identity accessor is returning null for the service account when it attempts to retrieve information from AD, due to lack of permission. This is occurring when we try to add the service account to the Service Accounts TFS group, causing the null reference exception.

Ensuring that the setup account has AD Read permission will solve this problem.

Technorati Tags:

Author

Buck Hodges
Director of Engineering

Director of Engineering, Azure DevOps

0 comments