Accounts Required for Installation of Team Foundation Components
You must use service accounts to install any component of Team Foundation. If you use reporting, you also need a report reader account when you install Team Foundation Server. This topic describes the requirements for service accounts and the report reader account for installation. For more information, see this page on the Microsoft Web site: Service Accounts and Dependencies in Team Foundation Server.
Visual Studio Team Foundation Server requires multiple identities for installation, but you can use a single account for all the identities, as long as that account meets the requirements for all the identities for which you use it.
This guide uses the placeholder names that are specified in the tables later in this topic to discuss the accounts that are required for components of Team Foundation and certain features of Team Foundation Server. You do not have to use these placeholder names for any accounts that you might create.
Best Practices for Accounts
None of the accounts in this topic should belong to the Administrators security group.
If you use domain accounts for your service accounts, you should use a different identity for the report reader account.
If you are installing a component in a workgroup, you must use local accounts for user accounts.
Report Reader Account
The report reader account is the identity that is used to gather information for reports. If you use reporting, you must specify a report reader account when you install Team Foundation Server.
If you install Team Foundation Server with the default options, the report reader account is also used as the identity of the service account for Windows SharePoint Services.
Feature |
Sample user logon name |
Requirements |
|---|---|---|
Reporting |
TFSREPORTS |
You must specify a user account that has the Allow log on locally permission. Default: You are prompted for this account. You cannot use a built-in account for the report reader account. |
Service Accounts
Each component of Team Foundation that you install requires an identity. This identity is the service account. By default, every component of Team Foundation uses a built-in account (such as Network Service) as its service account. You can change this account to a user account when you install the component, but you must ensure that any user accounts that you use have the Log on as a service permission.
Tip
Built-in accounts do not use passwords and already have the Log on as a service permission, making them easier to manage, especially in a domain environment.
Service Accounts for Components of Team Foundation
The service accounts in the following table are the identities that are used to run Windows services for the listed components of Team Foundation.
The service account for Team Foundation Server is also used in Internet Information Services (IIS) as the identity of the application pool for Team Foundation Server.
Component |
Sample user logon name |
Requirements |
|---|---|---|
Team Foundation Server |
TFSSERVICE |
You can specify a built-in account or a user account. If you specify a user account, it must have the Log on as a service permission. You must not use the account that you use to install Team Foundation Server as the account for TFSSERVICE. For example, if you are logged in as domain\user1 when you install Team Foundation Server, do not use domain\user1 as the account for TFSSERVICE. If you are using reports, you must add TFSSERVICE to the Content Manager role on the server that is running SQL Server Reporting Services. For more information, see How to: Add the Service Account for Team Foundation Server to the Report Server. If your SharePoint site was not installed at the same time as Team Foundation Server, you must add TFSSERVICE to the Farm Administrators group for the SharePoint Central Administration site. For more information, see How to: Add the Service Account for Team Foundation Server to the Farm Administrators Group. Default: Network Service .gif "Note") Note
If you use a system account (such as Network Service) here and want to configure e-mail notifications after installation, you must configure your SMTP server to allow anonymous senders to send e-mail. For more information, see the following page on the Microsoft Web site: Configure E-mail Notifications and Specify the SMTP Server.
|
Team Foundation Build |
TFSBUILD |
You can specify a built-in account or a user account. If you use a user account, it must have the Log on as a service permission. Default: Network Service |
Team Foundation Server Proxy |
TFSPROXY |
You can specify a built-in account or a user account. If you use a user account, it must have the Log on as a service permission. Default: Network Service |
Service Accounts for Additional Software
The following table lists the service accounts that are the identities that are used to run Windows services for SharePoint Products and SQL Server.
The service account for SharePoint Products is also the identity of the application pool for the SharePoint Central Administration site.
Software |
Sample user logon name |
Requirements |
|---|---|---|
SharePoint Products |
WSSSERVICE |
You must specify a user account. Default: If you install Team Foundation Server with the default options, the account that you specified as the report reader account is also used for this account. |
SQL Server |
SQLSERVICE |
You must set up this account before you install Team Foundation Server. Team Foundation Server has no other requirements for this account. |
See Also
Reference
Checklist: Single-Server Installation
Checklist: Multiple-Server Installation
Checklist: Adding an Application Tier
Checklist: Upgrade Team Foundation Server By Using More Than One Server
Checklist: Installing Team Foundation Build Service