This is one of the trickiest scenarios that I handled recently, hence considered it to share on public forum for the benefit of others, who are facing similar issues. Following is the detailed description.

Customer was having two domains, something like( and another domain, let us call it ( with a one-way transitive forest trust allowing .net users to authenticate in the the other domain. We have installed Team Foundation Server 2012 within the domain and users to access the server were in another domain, say .

Customer noticed that after configuring the server,  while adding users to team foundation server groups from the domain, usernames get populated with their full display name (i.e. Nitish Nagpal).  However when adding users from the domain(where team foundation server was installed), they were not found by their display name but login name, something like, DOMAIN\Username in active directory (i.e: nitishn(alias) and not Nitish Nagpal(display name)).


The problem was happening because team foundation windows job agent service, which was responsible for obtaining user information from active directory, was running under a tfsservice account in domain. Hence, that led us to believe that our service account was able to query active directory to obtain the information only where team foundation server was installed.


Customer’s service account was configured as a user from their ab.contoso domain(where team foundation server was installed) and which could not read the directory.

Hence, to solve the problem, we changed the service account of team foundation server to an account from domain instead of abc.contoso domain(where team foundation server was installed) and that resolved the issue and now we were able to see users with their fully display name from both the domains, while adding them to team foundation server group.

Written and Reviewed by Nitish Nagpal, Support Escalation Engineer