Steps:
1. Create an AD group for this kind of users
2. Create a AD user for the client and assign this user under the group created in step 1
3. In the TFS project, assign that AD group as a member of the Readers group of this project – (In Team Explore – right click on the project ->Team Project Settings->Group Membership)
Then that's all? In my case, no! When I tested to login with that AD user and opened TFS - I could see all the TFS projects!
After some investigation, I found
1. In our TFS the built-in server-level TFS user group Team Foundation Valid Users has *full* permissions which was different from the default settings
2. Some description for this TFS user group:
SERVER/Team Foundation Valid Users Members of this group have access to Team Foundation Server. This group automatically contains all users and groups that have been added anywhere within Team Foundation Server. You cannot modify the membership of this group through the user interface. http://blogs.msdn.com/vstsue/articles/502046.aspx
Some must have played on our TFS and give the wrong permissions to the Team Foundation Valid Users group. After restored it as default, the problem solved.