TF400371, TF14045 | Configuring Proxy in an Untrusted Domain

If you are running TFS 2012 RTM, Update 1, or Update 2 and are trying to configure a proxy machine in an untrusted domain, you will find that the configuration process blocks this previously supported scenario with the following errors:

TF400371: Failed to add the service account 'TFSPROXY\TFSProxy1' to Proxy Service Accounts Group. Details: TF14045: The identity with type 'System.Security.Principal.WindowsIdentity' and identifier 'S-1-5-21-4198714966-1643845615-1961851592-1024' could not be found..

 

Fortunately, there is a workaround that will help you get Proxy back up and running.  Please follow these steps:

1. If you are on TFS 2012 RTM or Update 1, you will need to upgrade to Update 2. 
2. Once you are on Update 2, you will need to join your proxy server to TFS by placing it in a workgroup during configuration
3. After configuration is complete, move your proxy server back into the untrusted domain.  Please be sure you continue to follow the guidance around shadow accounts closely.

We apologize for the inconvenience and will be including the fix for this bug in Update 3.