A while back I replied to a Rob Caron post regarding the connection of a TFS Proxy to a TFS Server in a different domain. Here's the link: http://blogs.msdn.com/robcaron/archive/2006/02/22/537485.aspx.
So, I am finally getting around to posting the actual Visio diagram for this particular configuration. I can verify that this configuration still works with SP1 of TFS.
A few notes:
- This solution uses local machine accounts, taking advantage of pass-through authentication. While using non-domain accounts is not ideal, I can't find any other option
- My diagram points out that the tfs_proxy account must be a local administrator on the TFS Proxy box. But I have not actually tested this requirement.
- In our environment, I found that making the tfs_proxy account a Team Foundation Server Administrator was needed in order to avoid managing permissions across all the projects. This might be considered a security hole, as a user with the user name and password of the local tfs_proxy account would have full admin privileges on the TFS server.
- All users who are using TFS in the "other" domain (i.e. the domain that is not containing the TFS Server) need to have a domain account in the domain that is hosting the TFS Server. When launching the Team Explorer or any of the TFS command-line tools, they will be prompted to enter this domain account's credentials.
Good luck, and make sure you let me know if this can be improved.
(Since I don't know how to insert a picture on this blog site with Live Writer, I'm burying the image files on my wife's photography site:) )