Today I have been setting up a cross domain TFS proxy. The developers are in one domain and the TFS server in another. Given there is no trust between these domains you have use a trick to get it to work.
So I created a local user tfsproxy.local on both the TFS server and proxy with the same password on each. At the proxy end I made this local user a local admin.
Next I ran the TFS 2012.2 wizard setting the proxy account to the tfsproxy.local user. It all passed verification, but then I got an error
TF400371: Failed to add the service account ‘TFSPROXYTFSProxy.local’ to Proxy Service Accounts Group. Details: TF14045: The identity with type ‘System.Security.Principal.WindowsIdentity’ and identifier ‘S-1-5-21-4198714966-1643845615-1961851592-1024’ could not be found..
It seems this is a known issue with TFS2012. It is meant to be fixed in TFS2012.3, so I pulled down the ’go live’ CTP and installed this on the proxy. It made no difference, I assumed it actually needs to be installed on the server end and not just the proxy as this is where the user lookup occurs. However, I did not access to do that upgrade today.
I was about to follow the workaround of removing the proxy from the domain, configuring it and then putting it back. But I then had an idea; the step it was failing on was granting rights, so I did it manually. On the TFS server end I added the tfsproxy.local user to the ‘Proxy Service Accounts Group’. Once this was done the configuration completed without error.
A quick test showed the proxy was working as expected.