TFS and Active Directory - Group Membership not populating to TFS in a timely manner

Question

I am using groups in Active Directory to manage what users can access projects in TFS. My problem is, that even though AD shows them in the group, and even through TFS when I look at who is a member of the group, it shows the user, access is not immediately granted.

I have tried refreshing the worker procesess for TFS with no luck. A machine restart (the TFS server) does seem to fix it, but I can't be restarting my Source Control every time I make a change to AD.

How do I make AD "discover" the changes to AD more often? As of now it is some time under 24 hours before the changes finally occur and the users are allowed into the project. Also, this was happening with TFS 2005, and we upgraded to 2008, and it is still happening.

Any ideas?

score 3 · Accepted Answer · answered Oct 21 '09 at 15:27

3

Group memberships are enumerated for the user at logon. When you make changes to a users memberships in AD, the user needs to log out/in of their machine for the changes to take effect for the user. I'm guessing the "under 24 hours" you mention is due to the fact they're coming back to work the next day and logging into the machine.

answered Oct 21 '09 at 15:27

Izzy

8,214
2
30
35

1

@izzy: Right on the money. – joeqwerty Oct 21 '09 at 15:46
or is it lzzy? sorry. – joeqwerty Oct 21 '09 at 15:47
That would make sense, as I never thought to have them log out and back in. Thanks so much, Izzy! – Josh Oct 23 '09 at 17:46

score 2 · Answer 2 · answered Jun 08 '11 at 23:39

TFS caches Active Directory information and is by default set up to poll Active Directory every 60 minutes. I reduced the interval on my server by adding an "IdentityUpdatePeriod" parameter in C:\Program Files\Microsoft Visual Studio 2008 Team Foundation Server\Web Services\Services\web.config

I was seeing some errors syncing with Active Directory when it was set to 5 minutes, so I changed it to run every 15 minutes (and still see errors once in a while..but at least I don't have to tell users to wait an hour)

Before:

  <appSettings>
    <add key="ConnectionString" value="Data Source=[TFS_DATA_TIER_SERVER]\tfs;Initial Catalog=TfsIntegration;Integrated Security=True;Persist Security Info=False;Application Name=TeamFoundation" />
    <add key="eventingEnabled" value="true" />
    <add key="DetailedExceptions" value="false" />
    <add key="emailNotificationFromAddress" value="DoNotReply_TFS@company.com" />
    <add key="smtpServer" value="[smtp_server]" />
  </appSettings>

After:

  <appSettings>
    <add key="ConnectionString" value="Data Source=[TFS_DATA_TIER_SERVER]\tfs;Initial Catalog=TfsIntegration;Integrated Security=True;Persist Security Info=False;Application Name=TeamFoundation" />
    <add key="eventingEnabled" value="true" />
    <add key="DetailedExceptions" value="false" />
    <add key="emailNotificationFromAddress" value="DoNotReply_TFS@company.com" />
    <add key="smtpServer" value="[smtp_server]" />
    <add key="IdentityUpdatePeriod" value="0:15:0"/>
  </appSettings>

Is there an equivalent setting in IIS? I am having the exact same symptoms for a web application (permissions not propagating through groups to the file system, SQL Server). — JohnFx, Aug 27 '12 at 23:39

TFS and Active Directory - Group Membership not populating to TFS in a timely manner

2 Answers2