0

Why Isn’t TFSService In My Service Account Dropdown List?

by Angela 5. November 2012 09:45

Ever been migrating a TFS 2010 server and when you got to the place in the Application-Tier Only Wizard where you had to specify a Service account and POOF, your TFSService account did NOT appear as a possible option? Ruh-roh!  This is a known issue in TFS 2010, and you won’t encounter this in 2012 thankfully, but nonetheless. If it happens to you, hopefully this also works for your implementation!

Untitled

Now you certainly don’t want to be specifying a user account for this, but what on earth is a TFS admin to do? I got into this situation and fear not, there is NOTHING documented on-line to help you ::maniacal laughter:: Maniacal mostly because I beat my head on my desk for at least half a day trying to figure this out.  Nothing I could find on MSDN, the MSDN forums or any other searchable resource shed any light on the issue. I found the solution by calling in a favor with a couple of folks I know on the TFS product team.  I might seriously send them a cookie basket for being so awesome.  Seemed silly not to share my good fortune because this is a DOOZY if you ever run into it yourself.

Turns out, the values that go into this dropdown get collected by taking a poll of all of the TFS related SQL databases (configuration, warehouse, collections) referred to by the configuration file selected in the previous step. Obviously you need to select an account that can access all of the databases.  The account should a) not be dbo, b) not be db_owner, and c) needs to be a valid user with TFSADMINROLE and TFSEXECROLE. In my case, some folks had been having issues creating new Team Project Collections (because their TFS Admin accounts did not have proper permissions on the Data Tier) and so they logged into the AT as TFSService to create the collections ::head explodes::  Doing that makes TFSService dbo and dbo_owner and therefor pulls its name out of the proverbial hat to be used as the service account going forward.

So how do you fix it? a) make sure your TFS Admins have the appropriate rights on all of the servers they need to get their jobs done going forward and DO NOT take no for an answer.  Trust me, it’s brutal otherwise; b) Take TFSService OUT of the administrators group on the local server so no one can login as that user in the first place; c) go fix the TFSService account in the TFS related databases in SQL Server. This may seem scary, but I don’t know of another way.  Ask your DBA if you need to, it’s possibly their fault you got in this situation anyway Winking smile 

So what you need to do in SSMS to fix it?

  1. 1) Iterate through all of the TFS databases and change the Owner to something OTHER than TFSService; this will also reset the login associated to the dbo user. Keep in mind if this user is already in the Users group for that database, then they will need to be deleted from there first.
  2. Untitled

2) Add TFSService as a database user (Database | Security | Users –> New user…)

3) Assign them the following roles: TFSADMINROLE and TFSEXECROLE.

Untitled

 

And after you’ve given yourself carpal tunnel with the billion mouse clicks necessary to do this, you can restart the Application Tier Only wizard and you will find that now TFSService appears in your list. HUZZAH! ::throws confetti::

Untitled

Now ideally you will never get into this situation in the first place, but if you do, it’s not really documented other than this blog post – at least not that I know of. BIG THANKS to Brian MacFarlane and Ed Holloway on the TFS Product Team for helping me noodle through this issue.

Tags:

ALM | Application Lifecycle Management | MSDN | TFS | TFS 2010 | TFS 2012 | TFS Administration | Visual Studio

Powered by BlogEngine.NET 2.7.0.0
Original Design by Laptop Geek, Adapted by onesoft