I am connecting to TFS server using terminal on my MacBook according to the website: https://learn.microsoft.com/en-us/visualstudio/mac/tf-version-control?view=vsmac-2019. Yes i have created the workspace successfully but when I try to map it to local folder, it always shows error about access denied even though my credentials is absolutely correct, I am using personal access token as username and leave empty for the password.
The error is:
Access denied connecting to TFS server https://dev.azure.com/myworkbaseasolutemobile/VersionControl/v4.0/repository.asmx (authenticating as f). After that, it prompt me to enter the username and password, once I type in, terminal do nothing but give me new line to enter the new command. When I entered the tf workfold command again, the error comes out again.
I don't even know where is the 'f' comes from. I don't know where is the problem. Anyone can help me on this?
Personal access tokens (PATs) are alternate passwords that you can use to authenticate into Azure DevOps.
Azure DevOps uses enterprise-grade authentication to help protect and secure your data. Clients like Visual Studio and Eclipse (with the Team Explorer Everywhere plug-in) also support Microsoft account and Azure AD authentication. Since PATs are an alternate form of user authentication, using a PAT gives you the same access level. If you create a PAT with a narrower scope, your access is limited to that scope.
Please leave the username empty and use PAT as password to access your TFS server.
Besides, , since you are using PAT with on-premise TFS server, check if you already turned off Basic Authentication.
We recommend you keep IIS Basic Authentication turned off at all times
when using Azure DevOps Server. Only if necessary should you enable
IIS Basic Authentication. When IIS Basic Authentication is enabled on
your windows machine, it prevents you from using personal access
tokens (PATs) as an authentication mechanism.
More details please take a look at this official link.
Related
A have an Azure Website running which connects to an Azure SQL through Entity Framework 6. Everything runs and I'm using standard username/password (sql login) to connect.
Now, I would like to switch over to using AAD for authenticating to sql. I already have an AD Application set up for the website.
My question is:
How do I connect with my cert or clientid/clientSecret?
How do I ensure that the SqlAzureExecutionStrategy is still in function
Any guidance is much appreciated
Thanks!
There are three ways connecting to SQL database by using Azure Active Directory authentication.
Connecting using integrated (Windows) authentication
Connecting with an Azure AD principal name and a password
Connecting with an Azure AD token
More detail about the Azure AD authentication for the Azure SQL database, you can refer here.
And if you were trying the config the connecting with access token the code sample provided by this blog is helpful. Also it is helpful to familiar with to authenticate with Azure AD with the client credential flow using the certificate from this link.
And based on my understanding, the connection string you used doesn't effect the Connection Resiliency feature which provided by the Entity Framework.
This is what can be done in this scenario.
Generally, when you first acquire a token you will get an information when the token expires. With this you should keep the time-tracking and repeat your connection code acquiring a token before the token expires.
My team writes a monitoring system which we have recently migrated the definitions of our monitoring into a git repo. These definitions are comprised of some json and powershell files. VSCode is an ideal scenario for editing and dealing with git. The problem is while developing the monitoring it is nice to be able to execute it against a test environment. Previously all editing was done through a web interface and we allowed ad hoc execution of the powershell against test machines through an API which is secured with AzureAD and OAuth2.0.
VS Code extensions don't have access to the full electron api and you are restricted from creating a BrowserWindow to handle the usual OAuth redirect flow. Is there a way to work around this limitation and allow a user to auth to our api so that we can make calls to it?
Any ideas or possible workarounds would be awesome.
One thing you can do is to use Server to Server via Client Credentials authentication method. There is node npm library here.
You will need to first register your VS code extension into Azure AD via Azure Portal.
The downside of this method is the credential passed to the Web API won't be user's credential but rather same extension specific credentials. But it would be OK in case you don't need VS code user's identity.
The supported way to get a user token for an application that doesn't have the ability to open a Web Browser to auth is the "OAuth Device Flow". Here is a link to a blog about how to implement it with AAD.
https://joonasw.net/view/device-code-flow
You need to host a localhost webserver inside your extension, when you're doing the auth and then pass localhost:port as the redirect URI for the oauth login flow.
I'm working on a web application that works with the TFS API and I would like to make sure that any users that use it have the proper authentication to use TFS.
To do so I use the following code:
TfsTeamProjectCollection teamProjectCollection = configServer.GetTeamProjectCollection(collectionId);
teamProjectCollection.EnsureAuthenticated;
I'm going to host the website on IIS.
When a user uses the web app, will EnsureAuthenticated use their credentials, or will it use the credentials of the remote desktop I'm hosting the application on?
It depends.
If you have configured ASP.NEt to use impersonation, it will use the account of the logged user.
If ASP.NET is configured with default settings there are a number of things that can happen
If there is a credential stored in the Credentials Manager it will use that
If the application pool is running under a real account it will try to do that
If the application pool is running an application pool account, it will probably try to authenticate with the System's account (COMPUTER$)
I'd say, try it and look at the IIS logs of your TFS server or use something like fiddler to capture the traffic.
I installed TFS 2013 on the server side with a "Basic Installation". I can access the TFS locally using the localhost URL it doesn't ask for a username and password.
But when I access the URL online then It prompts for a username and password.
How do I configure this on my server. I am new to TFS and cant find a proper explanation online.
In order to log into TFS you need credentials on the local machine. Create local accounts for all of your users and add them to TFS.
You would be better using VSO (TFS Online) as it authenticates with Live ID and is more secure and resilient.
I'm working with an MVC application on a test server that used to work perfectly. It creates accounts on a server that a 2nd application uses for logging in. It uses a credential store and PrincipalContext and UserPrincipal objects to create these accounts.
I haven't used the test version of this app for months or possibly almost a year. Now when I go to create an account with the application, I get the following error:
Access is denied.
ASP.NET is not authorized to access the requested resource. Consider
granting access rights to the resource to the ASP.NET request
identity. ASP.NET has a base process identity (typically
{MACHINE}\ASPNET on IIS 5 or Network Service on IIS 6 and IIS 7, and
the configured application pool identity on IIS 7.5) that is used if
the application is not impersonating. If the application is
impersonating via , the identity will be
the anonymous user (typically IUSR_MACHINENAME) or the authenticated
request user.
To grant ASP.NET access to a file, right-click the file in Explorer,
choose "Properties" and select the Security tab. Click "Add" to add
the appropriate user or group. Highlight the ASP.NET account, and
check the boxes for the desired access.
I looked at anonymous access, but the production version of this app also has a rule to deny anonymous access and it's working fine. This application never used impersonation even when it was working and I've heard that granting explicit access to ASP.NET is not generally recommended. I can make the application work locally through Visual Studio, but the version deployed to test continues to give this error. I would rater not republish the site to test, but perhaps that's the only option left? Is there anything obvious (but not to me) that could have changed in the security settings to cause this? I'm still researching with no luck.
Thank you!
You need to provide a service account to your ApplicationPool Identity that has the appropriate level of access. When you're using the Studio, it uses your user account for access so it's almost a given. When the application is installed onto IIS it uses the lowest possible level of access available, and that simply isn't enough. It isn't recommended that you open it wide up, but establishing a limited access service account for this specific purpose will allow the application to function without having to compromise system or personal accounts.