TFSB3r security issue

Hot Topic

WorkItemLongTexts table
FxCop, TFS & VS2005
Webtest
Workspace folder mapping bug?
TF82039: Team Foundation was unable to modify the project plan.
tfsbuild.exe.config AllowedTeamServer
Binding data - how to find and replace inside each web test
Error Publishing Test Result
Feature request - Check in approvals
Web Test recording unreliable - help!

VS Team System

Threshold Violations reported when the threshold has not been reached
TF30162. Beta 3 refresh installs without hitch. Cannot create a new team site though.
Calling a web test from another web test
Dropping Files into Source Controlled Projects Fails Checkout
Class Designer: XML Comments
Problem in Migration from VSS to Team Foundation
tf30005 and tf30217
TFS Beta 3 - Where is it. VS2005 RC1 is out.
Microsoft Support
User name in a workitem

TFSB3r security issue

I'm having a problem where i've created a new domain group and added the group to the server global security using server - security when i look in server - group membership i see that the group is added to the tfs valid users. When i now want to remove the group this seems not to be possible in any single way. In the server - security page the group magically dissapeared.

I now have the situation that some members of the group CAN access the tfs and some can't. I dont have any clue why this is. I've waited for minutes, didn't work, restarteddidn't work.

I have no further problems with tfs i can use some other (administrator) accounts to do all the functionality with tfs but now i want to add a group of developers to tfs and this doesn't seem to be possible in the way that it's supposed to work.

I'm wondering..... i've installed my tfs on a domain controller... some say that this is 'far from ideal'..... could this have anything to do with this

I'm running tfsb3r on a fresh 2003 install

Answer this question

TFSB3r security issue

  • WilliamW6488

    Ok when i create a new global TFS group called dev, assign all permissions and then add my domaingroup to it i can see that the users in the group are becoming a member of the tfsgroup dev.

    When i now add a new user to the domain group and check the users in the dev group i can see that the user is added to the domain group but when i look at the groups which this user belongs to dev ain't one of them.While the other users do belong to dev.

    When i now remove the domaingroup from the dev group and add it again i can see that the new domain user has also become a dev member. It seems like tfs applies rights to users at the time of assinging users to a specific group and not when adding users to a domain group outside of ts. I've also waited a while to see if the changes get picked up after a while but this doesn't seem to be happening.

    Any suggestions

  • Ivan Giugni

    It sounds like the background thread that synchronizes TFS groups with Active Directory is running into problems.  The thread should try to sync with Active Directory once an hour by default.  However, in Beta 3 Refresh, if it runs into any type of problem, it will stop the sync.  In the RTM code this is improved, in that it will only stop the sync of the group that has a problem, not all remaing groups.

    But lets try and and figure out out your specific problem.  If you look in the event log, there should be an entry that gives more details about what is going wrong during the sync.  Could you please post any errors from the log related to Active Directory or group syncing

    Thanks,
    Matt Hoover
    SDE Visual Studio
  • TFSB3r security issue
Answer this question