I keep getting the following:
The source control proxy ‘tfs2010’ is not responding, so the request
will be sent to the main server. Please verify your settings.
Additional information: TF30063: You are not authorized to access
Microsoft-IIS/7.5.
Clearly, the problem is that Proxy machine (IIS) is not letting my real TFS server user through.
Both TFS server and proxy are on 2008R2 servers, and neither is a member of AD, so NTLM authentication is a must.
It’s clear however that TFS client must be able to authenticate against the real server and pass the proxy, while the two could potentially have no idea about each other’s users.
The frustrating part is that I couldn’t find anything about how TFS authentication works in neither Install guide or any of the online HOWTOs.
Tishma, TFS relies on Windows and IIS for authentication. There is nothing special on TFS itself regarding authentication.
The most important thing here is “neither is a member of AD”. It means you have to use “shadow accounts”, i.e. accounts with the same username and password across all servers.
Remember that it also affects your service accounts. When you setup your proxy server, you must inform which credentials will be used to run the service (referred to as “TFSPROXY” in the TFS Installation Guide). As there is no domain coordinating the servers, the “TFSPROXY” account is local to the proxy server. But it must be able to authenticate to the TFS server. Thus you must create a new account with the same username and password in the TFS box, so that the proxy can connect to TFS.
Finally, shadow accounts for your devs must be created in both servers (proxy and TFS), so that they can authenticate at both proxy and TFS servers.
The only way to avoid the burden of keeping all those usernames and passwords synchronized would be adding all those machines to an AD domain.