Team Foundation Server in our development lab vs. production

We've had a single Team Foundation Server (for source code control) on our production domain for a few years (corp.ourcompany.net), and it's worked great. However, we've got a lab now and I'd like to extend source control access to developers operating there (testlab.corp.ourcompany.net). That way, developers working on code either in the lab or in the production network will have access to the same source code (This isn't a question about where to develop - I recognize it should all be in a lab of kinds, but it's not).

It's in a firewalled subset of the network, and there's no access from lab into production, so we've installed a TFS Proxy server in the lab and allowed all the necessary ports. However, since these are two different domains, I'm running into trouble - when I try to configure the proxy server, it asks for a service account that has access to the production TFS, and I can't add one:

1. When I provide an account from production (corp.ourcompany.net\ProxyAccount), it won't resolve it
2. If I use a testlab account, I can't grant this account access in production (the account needs to be able to view source code on the production server).

Do I need some kind of trust set up? I don't believe there's currently any, or if it's even an option with how we're set up, but I'm stuck - I can't seem to get the developers in the lab access to source control on the production TFS server. Even if they did have network access, I can't grant their testlab domain logins any kind of application access necessary to log in to TFS.

Am I missing something obvious? Are there other ways to get this accomplished? Other platforms may be more flexible than TFS, but I'm not ready to explore making a change there - I'm interested in a potential way to get TFS to accommodate my needs before I make the case to switch. Thanks!