{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 爷的心禁止访问 的问题《TFSSecurity Unable to Resolve Identity》','https://www.manongdao.com/q-1007426.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I am trying to use TFSSecurity to configure security on our new instance of TFS 2017. It works great when I test it by adding local user accounts on the TFS server into a TFS group but fails as soon as I change to trying to add domain groups or accounts. Here's the command and the results I am getting:
PS C:> &"E:\TFS 2017\Tools\tfssecurity.exe" /g+ "n:[Project1]\Contributors" n:"DOMAIN1\TFS-Developers" /collection:http://myTfsServer:8080/tfs/PrimaryCollection
Microsoft (R) TFSSecurity - Team Foundation Server Security Tool Copyright (c) Microsoft Corporation. All rights reserved.
The target Team Foundation Server is http://myTfsServer:8080/tfs/PrimaryCollection.
Resolving identity "n:[Project1]\Contributors"...
[A] [Project1]\ContributorsResolving identity "n:DOMAIN1\TFS-Developers"...
Error: The identity cannot be resolved.
I am running this command using an account on DOMAIN1 that can see the group in Active Directory Users and Computer so it seems like it should not have an issue resolving the identity. However, the server is not joined to the network on DOMAIN1. It is joined to a second domain called DOMAIN2 that has a one way trust with DOMAIN1. I suspect that this might be causing the problem but I'm not sure how to work around it if it is or how to diagnose the issue to know this for sure. Any ideas?
This turned out not to be a domain trust issue at all. I was using the wrong group names. Very embarrassing but a good reminder to check for the stupid stuff before you assume it's something complicated.
You'd better make the 2 domains trusted with each other. Specifically, when you do only a one way trust. In you scenario, domain2 needs to trust domain1 and pay attension to that mentioned in this thread:
Here is a blog that about add user from different domain: http://blogs.agorainc.com/post/External-User-in-Team-Foundation-Server-(TFS)-with-Active-Directory.aspx