TFSConfig Identities listed all TFS accounts and all but one matched Windows.

How do I fix the lone user account where the Match is False?

While this may not be relevant, I add it to the post in case it provides any additional clues. I tried to reapply the user in the Application Tier Console Users list and it failed. The log stated the account is also an orphaned SQL Server Login. I assume that makes sense if the SID is mismatched, though.

Since you have reapply the user in the Application Tire Console Users list. Changes you make to local or Active Directory groups do not get reflected in TFS immediately.

It may be a identity synchronization issue. You must wait for the next identity synchronization with Windows before the properties of accounts that you do some account change will be updated. This requirement includes changes from group to user, user to group, and domain account to local account.

You could also force TFS to sync, details please refer this blog. After this run the TFSConfig Identities again.