This project is read-only.

TFS Deployer Cross Domain

Oct 11, 2010 at 6:55 AM

Hey guys,

I am having trouble getting TFS Deployer to work over two domains.

I have two domains, DEVDOM and TFSDOM.  TFS Deployer is installed on DEVDOM machine and I have entered in the correct settings for authenticating against TFSDOM



<setting name="TfsUserName" serializeAs="String">
<setting name="TfsDomain" serializeAs="String">
<setting name="TfsPassword" serializeAs="String">



I am using this command : TfsDeployer.exe -d and get the following error:


Microsoft.TeamFoundation.TeamFoundationServerException: TF50309: The following a
ccount does not have sufficient permissions to complete the operation: DEVDOM\admin. The following permissions are needed to perform this operation: View col
lection-level information.


It's like as if it is not reading the authentication settings I am putting in my config.

Am I missing something ?

Also, when I want to start this as a service in Services, what account do I Log On as ? just local systems account ?

Oct 11, 2010 at 1:20 PM


Looks like you've found a bug.

When TFS Deployer was updated to work with TFS 2010, the API for connecting to TFS changed. The API the TFS Deployer is now using to connect to TFS only uses the provided credentials if the default credentials (ie the user TFS Deployer is running as) fail. Because there is a trust relationship between DEVDOM and TFSDOM, Deployer is able to authenticate with the default credentials (DEVDOM\admin) and hence never tries the TFSDOM credentials. Unfortunately, while the first credentials authenticate, that account is not authorised to access the resources Deployer needs.

I will look at changing TFS Deployer to use a different method for connecting to TFS Deployer so that the provided credentials are always used first. In the mean time however, you have some options:

1. Given that TFS is recognising your DEVDOM\admin account via the cross-domain trust, you could grant that account access to the TFS resources Deployer needs, ...
2. For the user account that TFS Deployer will run as, configure different credentials in the Windows Credential Manager to use for the TFS server, or ...
3. Run TFS Deployer using a local-machine user account that won't be recognised by the TFSDOM domain and the settings in the configuration file should then be used.

This choice will be partly influenced by the answer to your second question about the service account. There is some information about service accounts in the wiki here:

I always recommend running any service with it's own service account with the least privileges it needs to work. For TFS Deployer I typically go so far as creating a dedicated service account for every instance in the network. If Deployer will be performing deployments completely local to the machine it is running on, you can create a local-machine account for the service account. If TFS Deployer will be accessing remote resources (including the build drop folder) you may want to configure the local account as a shadow account, or use a domain account instead for the service.

Whichever you choose, when testing TFS Deployer interactively with the "-d" switch I recommend doing so by first starting a Command Prompt using the same credentials you've configured as the service account (ie Log On As) so that it runs much the same as it will as a service.



Oct 11, 2010 at 1:31 PM

Changeset 50915 ( should now include the fix required for your issue.

This update will be included in the next release but if you want it now, you can get the latest source from the Trunk and run build.cmd.



Oct 11, 2010 at 11:32 PM


Fixed the problem. Thank you so much for the prompt changeset.