Microsoft KB Archive/942718

= Team Foundation Server - Connectivity issues occur when large Active Directory groups are added to Team Foundation Server security groups =

Article ID: 942718

Article Last Modified on 9/18/2007

-

APPLIES TO


 * Microsoft Visual Studio 2005 Team Foundation Server

-



Source: Microsoft Support



RAPID PUBLISHING
RAPID PUBLISHING ARTICLES PROVIDE INFORMATION DIRECTLY FROM WITHIN THE MICROSOFT SUPPORT ORGANIZATION. THE INFORMATION CONTAINED HEREIN IS CREATED IN RESPONSE TO EMERGING OR UNIQUE TOPICS, OR IS INTENDED SUPPLEMENT OTHER KNOWLEDGE BASE INFORMATION.



Action
You have a Microsoft Visual Studio 2005 Team Foundation Server installation. You add an Active Directory group to a Team Foundation security group. The Active Directory group has a very large number of users (such as \Domain Users).



Result
Users of Microsoft Visual Studio 2005 Team Foundation Server (TFS) may experience intermittent connectivity issues, receive client-side errors, and may be unable to perform version control or work item tracking operations.

In addition, the TFS application pool on the TFS application tier machine (AT) may recycle frequently, and you may see frequent events in the Application event log indicating that the application pool has been shut down:

Event Type: Information

Event Source: TFS Services

Event Category: None

Event ID: 9002

Date: 7/29/2007

Time: 11:58:09 PM

User: N/A

Computer: 

Description:

The following information is part of the event: Team Foundation Core Web Service Application shut down.

You may also see errors like the following in Application event log on the AT:

Event Type: Error

Event Source: TFS Services

Event Category: None

Event ID: 3055

Date: 7/29/2007

Time: 11:58:09 PM

User: N/A

Computer: 

Description:

TF53010: An unexpected condition has occurred in a Team Foundation component. The information contained here should be made available to your site administrative staff.

Technical Information (for the administrative staff):

Date (UTC): 7/30/2007 3:58:09 AM

Machine: 

Application Domain: /LM/W3SVC/2/Root/services-2-128302413064758610

Assembly: Microsoft.TeamFoundation.Server, Version=8.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a; v2.0.50727

Process Details:

Process Name: w3wp

Process Id: 4340

Thread Id: 8128

Account name: \

Detailed Message: TF50621: GSS: Failed to retrieve identity from source : [S-1-5-21-111111111-222222222-333333333-4444]

Exception Message: Thread was being aborted. (type ThreadAbortException)

Exception Stack Trace: at System.DirectoryServices.Interop.UnsafeNativeMethods.IntADsOpenObject(String path, String userName, String password, Int32 flags, Guid& iid, Object& ppObject)

at System.DirectoryServices.Interop.UnsafeNativeMethods.ADsOpenObject(String path, String userName, String password, Int32 flags, Guid& iid, Object& ppObject)

at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)

at System.DirectoryServices.DirectoryEntry.Bind

at System.DirectoryServices.DirectoryEntry.get_SchemaClassName

at Microsoft.TeamFoundation.Server.IdentityStoreAccessor.GetIdentityFromEntry(DirectoryEntry de, String domain)

at Microsoft.TeamFoundation.Server.IdentityStoreAccessor.ReadIdentityFromAD(String domain, String username)

at Microsoft.TeamFoundation.Server.IdentityStoreAccessor.ReadIdentityFromSource(String sid)



Cause
Microsoft Visual Studio 2005 Team Foundation Server is unable to complete its synchronization with Active Directory when the TFSIntegration.tbl_security_identity_cache table contains a very large number of active users.



Resolution
To resolve this issue, remove the permissions for the groups that have large numbers of members. You can detect this condition by running this query against the TFSIntegration database using SQL Server 2005 Management Studio connected to the Database Engine on the Microsoft Visual Studio 2005 Team Foundation Server (TFS) data tier machine:

use TfsIntegration

select count(*) from tbl_security_identity_cache where deleted = 0

A result value of over 80,000 indicates a potential problem, while a result value over 100,000 will almost certainly cause performance degradation or errors. Note that the addition of any groups containing users who do not require access adds additional overhead and should be avoided if possible.

You can run the following query to return 10 rows with information about the 10 TFS groups with the greatest number of members:

use TfsIntegration

select top 10 count(*) as membercount,

substring(mc.container,1,60) as sid,

substring(ic.display_name,1,40)as display_name,

ic.domain

from tbl_security_membership_cache mc

join tbl_security_identity_cache ic on mc.container = ic.sid

group by mc.container, ic.display_name, ic.domain

order by membercount desc

The result set of this query will contain &quot;display_name&quot; and &quot;domain&quot; columns. Use these columns to determine which Active Directory (AD) groups, if any, may be members of TFS security groups. Once you have identified an AD group in the list, use the value in the &quot;SID&quot; column of that row to determine to which TFS security group the AD group belongs. This is done using the TFS TFSSecurity.exe command line utility on the TFS AT machine as follows (NOTE: You must be an administrator on the TFS AT machine to perform this action):

1. Open a Command Prompt on the TFS AT machine

2. CD to the TOOLS subdirectory of the TFS installation directory. By default this is C:\Program Files\Microsoft Visual Studio 2005 Team Foundation Server.

3. Run the following command:

tfssecurity /im sid: /server:

The output from this command will list the members of the group identified by the SID. In addition, the end of the output will include a list of group(s) the SID-identified group is a member of. This list may contain TFS groups, which will help you track down and remove the membership using the Team Foundation Server Settings from TFS Team Explorer.



MoreInformation


DISCLAIMER
MICROSOFT CORPORATION AND/OR ITS RESPECTIVE SUPPLIERS MAKE NO REPRESENTATIONS ABOUT THE SUITABILITY, RELIABILITY, OR ACCURACY OF THE INFORMATION AND RELATED GRAPHICS CONTAINED HEREIN. ALL SUCH INFORMATION AND RELATED GRAPHICS ARE PROVIDED &quot;AS IS&quot; WITHOUT WARRANTY OF ANY KIND. MICROSOFT AND/OR ITS RESPECTIVE SUPPLIERS HEREBY DISCLAIM ALL WARRANTIES AND CONDITIONS WITH REGARD TO THIS INFORMATION AND RELATED GRAPHICS, INCLUDING ALL IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, WORKMANLIKE EFFORT, TITLE AND NON-INFRINGEMENT. YOU SPECIFICALLY AGREE THAT IN NO EVENT SHALL MICROSOFT AND/OR ITS SUPPLIERS BE LIABLE FOR ANY DIRECT, INDIRECT, PUNITIVE, INCIDENTAL, SPECIAL, CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF USE, DATA OR PROFITS, ARISING OUT OF OR IN ANY WAY CONNECTED WITH THE USE OF OR INABILITY TO USE THE INFORMATION AND RELATED GRAPHICS CONTAINED HEREIN, WHETHER BASED ON CONTRACT, TORT, NEGLIGENCE, STRICT LIABILITY OR OTHERWISE, EVEN IF MICROSOFT OR ANY OF ITS SUPPLIERS HAS BEEN ADVISED OF THE POSSIBILITY OF DAMAGES.

Keywords: kbnomt kbrapidpub kbmbsdevelopmenttools KB942718

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.