Account used to install TFS must have read permission to Active Directory

We’ve seen a couple of customers run into a rare problem where the account being used to set up a new Team Foundation server does not have read access to Active Directory (this does not apply to the workgroup edition of TFS).  Vasu Sankaran, developer on the TFS identity management system, explains the error below.

When Team Foundation Server (TFS) is deployed in an Active Directory (AD) environment, TFS makes use of the Windows Identities stored in Active Directory. For such AD identities associated with TFS, the server needs to retrieve information from AD, such as the account SID, its display name, mail address, and similar attributes. The identities about which TFS queries AD are either service accounts, or other users and groups added to TFS (manually or during installation). This synchronization of information with AD requires read privileges only. TFS does not create or modify AD objects. The following links provide useful information regarding TFS deployment in AD environment.

During an upgrade scenario, the setup account used to perform the upgrade requires the same AD read permission, since it tries to sync information from AD about TFS service accounts. Lack of this privilege could lead to a setup error such as the following:

Detailed Message: TF213002:The service account specified during setup could not be added to the Team Foundation Service Accounts group. The installation or repair failed with the following exception message: System.NullReferenceException: Object reference not set to an instance of an object.
at Microsoft.TeamFoundation.Server.GroupComponent.AddIdentityToGroup(String groupSID, Identity member, DateTime sourceTimestamp)
at Microsoft.TeamFoundation.Server.TeamFoundationGssInit.Install(Options opts, List`1 args)

Admittedly, this is poor error reporting. But essentially the AD identity accessor is returning null for the service account when it attempts to retrieve information from AD, due to lack of permission. This is occurring when we try to add the service account to the Service Accounts TFS group, causing the null reference exception.

Ensuring that the setup account has AD Read permission will solve this problem.

Technorati Tags:

Comments (3)

  1. Eugene Zakhareyev on Label scope revealed and Branching to desired target path is easy. The NWCadence…

  2. jankogaga says:

    When You told Read permission on AD, Did you mean Windows authorisation accesss group. I have already installed TFS 2008, but I had not to assign any special permission to tfssetup account.

    On TFS 2005, I could not get checkin event, till I joined tfsservice to the Windows authorisation accesss group.



  3. Vasu Sankaran says:


    I am not sure what you mean by the "Windows authorisation accesss group". In any case if setup already succeeded for you, then the setup account must have already had AD read permission. Most domain accounts are granted this permission. Not having this permission is more the exception than the rule.

    One way to verify if the setup account has this permission is to open a command prompt running with this setup account credentials (using RunAs), and verify if the following command succeeds –

    dsquery user -samid <tfs service account name> -d <domain> | dsget user -dn -samid -sid -display -email -L