Over the last few months I’ve been investigating source control solutions to replace our aging solution. After going through a few options we finally settled on TFS 2013. After much research I was able to figure out all the necessary requirements, the best options for getting it set up and running except for one crucial question. I couldn’t find a straight answer that explained how the application talked to remote database server with regards to user accounts. My guess was the TFSService account was in charge of this but I couldn’t get a definitive answer. I was really hoping it wasn’t going to use integrated authentication all the way to the database since that would be a non-starter.
With fingers crossed, I managed to get all the necessary approvals, got a new VM stood up and even got the database team to agree to create a service account that would let TFS manage its database requirements directly (rather than trying to pre-create the tables.)
When the day finally came, we ran into a slight snag. I was attempting to the do the TFS configuration from my account while the database guy watched, ever-ready to type in the service credentials. Unfortunately the database wasn’t being found no matter how correctly those credentials were typed. On a complete guess, we decided to try again while the DB guy was logged in. Sure enough this worked.
Once the configuration was complete, I was able to hit the TFS front-end and the connections to the database from that point on happened through the TFSService account. Neat. The downside is I can’t run the configuration tool to add new collections or change features since my account doesn’t have database rights. The TFSService account only applies to calls through the front-ends.
So, if you decide to install TFS 2013 on premises and to use a remote database managed by another team with very strict permissions, you’re going to need to run the configuration under an account with permissions to the database server. The web front-ends will communicate using the account configured as the TFSService account after that.
There. Weeks of trying to find a definitive answer and I finally just had to try it and hope for the best. Hopefully this saves someone else some time!
Happy controlling of the source,