Team Foundation Server team project creation may fail after a user account is deleted and recreated in Active Directory

Source: Microsoft Support

RAPID PUBLISHING ARTICLES PROVIDE INFORMATION DIRECTLY FROM WITHIN THE MICROSOFT SUPPORT ORGANIZATION. THE INFORMATION CONTAINED HEREIN IS CREATED IN RESPONSE TO EMERGING OR UNIQUE TOPICS, OR IS INTENDED SUPPLEMENT OTHER KNOWLEDGE BASE INFORMATION.

An Active Directory domain account has team project creation permissions on a Microsoft Team Foundation Server (TFS). That users domain account is deleted and then recreated in Active Directory. Users then try to create new team project in TFS.

Users receive an error from the Project Creation Wizard:
 
"TF30170: the plugin Microsoft.ProjectCreationWizard.WorkItemTracking Failed during task WITS from group WorkItemTracking"

When the project creation log is reviewed it shows the following details:

Event Description: TF30162: Task "WITs" from Group "WorkItemTracking" failed Exception Type: Microsoft.TeamFoundation.Client.PcwException
Exception Message: Value cannot be null.
Parameter name: Identity object returned by ReadIdentities call is null for a valid sid ---> Value cannot be null.
Parameter name: Identity object returned by ReadIdentities call is null for a valid sid

There is a bug in one of the TFS stored procedures relating to background synchronization between TFS and Active Directory. This defect can cause data corruption in tables contained in the TFS "tfsintegration" SQL Server database.

To verify this problem, run the TfsAdminUtil.exe SID command from a DOS prompt (usually located in C:\Program Files\Microsoft Visual Studio 2005 Team Foundation Server\Tools on the TFS application-tier machine). This command is used to change or list the registered security identifiers (SIDs) in TFS. It will return a table which lists TFS users, and the status of their SIDs. For example, here is a normal output:


TfsAdminUtil - Team Foundation Admin Utility
(C) Copyright 2006 Microsoft Corporation. All rights reserved.

Account Name                    Found    Equal to Windows SID   
-----------------------------------------------------------
OurDomain\User1                 True     True                   
OurDomain\User2                 True     True                   
OurDomain\User3                 True     True                   
OurDomain\User4                 True     True                   
OurDomain\User5                 True     True                   

Found 5 SIDs in the database.
Of these were 5 found in Windows and 0 had a different SID.


In the situation described in this article however, the output may look like this instead (where User5 was the account deleted/recreated in Active Directory):


TfsAdminUtil - Team Foundation Admin Utility
(C) Copyright 2006 Microsoft Corporation. All rights reserved.

Account Name                    Found    Equal to Windows SID   
-----------------------------------------------------------
OurDomain\User1                 True     True                   
OurDomain\User2                 True     True                   
OurDomain\User3                 True     True                   
OurDomain\User4                 True     True                   
OurDomain\User5                 True     True                   
OurDomain\User5                 True     False                   

Found 6 SIDs in the database.
Of these were 6 found in Windows and 1 had a different SID.

To begin you must first identify the "groupSid" and "identitySid" for the deleted/recreated user. You do this as follows:

1. Using SQL Server Management Studio, connect to the TFS database-tier machine.
2. Create a new query against the tbl_security_identity_cache table in the TfsIntegration database that will return the records for the troubled user. For example:

             select sid, display_name, deleted from dbo.tbl_security_identity_cache where tbl_security_identity_cache.account_name like '%user5%'

        Copy the value in the sid column for the user where the deleted column has a value of 1. This is the "identitySid".


    3. Locate the "groupSid" by executing the following query. The "groupSid" will be the value returned in the Parent_group_sid column:

             select * from tbl_gss_group_membership where member_sid like '<SID from step 2>'

    4. Log onto the console of TFS application-tier machine as a TFS administrator
    5. Open Internet Explorer and navigate to this URL: 

             http://localhost:8080/Services/v1.0/GroupSecurityService.asmx?op=RemoveMemberFromApplicationGroup (http://localhost:8080/Services/v1.0/GroupSecurityService.asmx?op=RemoveMemberFromApplicationGroup)

    6. Input the "groupSid" and the "identitySid" identified from above query results 
    7. Click Invoke. (Only click Invoke ONCE).

If successful a new Internet Explorer window will launch, but the screen within Internet Explorer will be blank (no error).

Note, you have to do this from web service API. Do not attempt to run these commands using tfssecurity.exe

MICROSOFT AND/OR ITS SUPPLIERS MAKE NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY, RELIABILITY OR ACCURACY OF THE INFORMATION CONTAINED IN THE DOCUMENTS AND RELATED GRAPHICS PUBLISHED ON THIS WEBSITE (THE “MATERIALS”) FOR ANY PURPOSE. THE MATERIALS MAY INCLUDE TECHNICAL INACCURACIES OR TYPOGRAPHICAL ERRORS AND MAY BE REVISED AT ANY TIME WITHOUT NOTICE.

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, MICROSOFT AND/OR ITS SUPPLIERS DISCLAIM AND EXCLUDE ALL REPRESENTATIONS, WARRANTIES, AND CONDITIONS WHETHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING BUT NOT LIMITED TO REPRESENTATIONS, WARRANTIES, OR CONDITIONS OF TITLE, NON INFRINGEMENT, SATISFACTORY CONDITION OR QUALITY, MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, WITH RESPECT TO THE MATERIALS.