My organization is split up into two domains, a corporate domain (example.net) and a domain for external resources (example.biz) with a one-way transitive forest trust allowing .net users to authenticate in the .biz domain. We have installed Team Foundation Server 2012 within the example.biz domain with the intent that our corporate users can access this resource and so we can provide external users access to this same resource without allowing them to gain entry into the corporate network.
The problem that we are facing is that when searching the directory for a user to grant access to either a file (security permissions) or group membership (ie: Team Foundation Administrators in TFS2012) on a member server during the "check names" lookup the users from the example.net domain are not found. I noticed that on our primary Domain Controller for our example.biz domain this is not a problem, you can add the .net users to groups on the Domain Controller and those groups can be used on any member servers within the example.biz domain however this is far from the granular premissions level that we need.
A poor example of this would be setting permissions for a file;
- On the example.biz Domain Controller you can create a group called "ExampleDotNet Users", use the lookup and add users from the example.net domain into this security group.
- On the example.biz Member Server within the a files security permissions you could grant access to the "ExampleDotNet Users" group and it will work as expected, however if you try to grant access to sally@example.net the lookup will fail to locate the user.
Is this a standard behavior of the type of trust that we have setup and I am just misunderstanding or should we be allowed to grant our example.net users explicit permissions? Any assistance would be greatly appreciated.