I ran into a problem that I am sure more people than me run into. I had to install TFS into a remote office of developers that are contracted. To make it worse the remote office is 5000 miles away. Now since the developers are not employed by us I have the choice:

1. Leave them in their own domain and figure out how to make the remote domain work with TFS.
or

2. Connect their AD to ours and deal with the trust issues.

I decided on #1. Now I am a network guy so setting up the VPN between the two offices was a piece of cake. I dropped a WatchGuard Edge onto the remote next work and connected it to our home office for a secure VPN.

Now for the fun part. The proxy server connects to the main TFS server using the Identity of the Application Pool for the TFS Proxy Server Web Site. Since the remote AD and the TFS AD are not in the same domain, they can not authenticate to each other. But there is a hack.

In this scenario we will use 3 devices, Proxy server (PServer), TFS server (TServer), and remote client (client). There are two domains HomeAD (TFS server domain) and RemoteAD (Proxy and client domain).

TServer is in HomeAD
PServer is in RemoteAD
client is in RemoteAD

The hack is to create a local user on TServer, we will use proxyUser with a password or proxy123. Make that user a local admin and add that user to TFS.

In visual studio, in Team Explorer, right click on the TFS server (TServer), Team Foundation Server Settings, Group Membership. Click on Team Foundation Administrators then the properties button. Select the ‘Window User or Group’ radio button then Add. Add proxyUser and select OK. The user proxyUser is now an Administrator for the TFS server.

Now on the remote domain, RemoteAD, add the user proxyUser with the same password, proxy123.

On the TFS Proxy server open IIS. Locate the App Pool Team Foundation Server and open it. On the identity tab set the logon user to RemoteAD/proxyUser with proxy123 as the password. Run iisreset to reset the web site. Goto http://localhost:8081/VersionControl/v1.0/ProxyStatistics.asmx. Click Invoke. If you get XML that lists number of file fetched, files missed, etc.. then the link to the main TFS is up.

The client is simple. The client’s machine and username are in the RemoteAD domain. When the user connects to the TFS Proxy server (PServer), it will use the users login for the RemoteAD. When the user connects to the real TFS server (TServer) for check-ins and to get the security token, they will use their AD account that has been set up in HomeAD.

So the path goes as follows:

User Ted connects to the Main TFS using an account created for him in HomeAD, HomeAD\Ted2. He gets a token from that TFS and give it to the Proxy using his local AD creds, RemoteAD\Ted. He gets files from the Proxy, who gets the files from the Main TFS using the creds RemoteAD\proxyUser. That login gets translated into TServer\proxyUser for authentication. When Ted checks in, he uses the HomeAD\Ted2 login again.