TF400371, TF14045 | Configuring Proxy in an Untrusted Domain

If you are running TFS 2012 RTM, Update 1, or Update 2 and are trying to configure a proxy machine in an untrusted domain, you will find that the configuration process blocks this previously supported scenario with the following errors:

TF400371: Failed to add the service account 'TFSPROXY\TFSProxy1' to Proxy Service Accounts Group. Details: TF14045: The identity with type 'System.Security.Principal.WindowsIdentity' and identifier 'S-1-5-21-4198714966-1643845615-1961851592-1024' could not be found..

Fortunately, there is a workaround that will help you get Proxy back up and running.  Please follow these steps:

1. If you are on TFS 2012 RTM or Update 1, you will need to upgrade to Update 2. 
2. Once you are on Update 2, you will need to join your proxy server to TFS by placing it in a workgroup during configuration
3. After configuration is complete, move your proxy server back into the untrusted domain.  Please be sure you continue to follow the guidance around shadow accounts closely.

We apologize for the inconvenience and will be including the fix for this bug in Update 3.

Comments

• Anonymous
  April 15, 2013
      If we place TFS from domain to workgroup, is TFS working normally?     Here we possess a TFS in workgroup and a TFS proxy in domain. I have encountered this issue many times, whatever accounts (such as proxy local account or system account "NT AUTHORITY NETWORK SERVICE") , the configuration process is alway blocked by TF400371 error.  Is your workaround suitable for us? Do you have any good advice towards our TFS configuration environment.     Thanks a lot. :-)