Background
I have nuget packages in a private nuget feed on azure devops and I try to consume them from on-prem TFS.
This worked, but only for a few hours
In azure devops, I navigated to Artifacts -> Connect to feed and clicked the link "Download NuGet + Credential Provider". When running CredentialProvider.VSS.exe -U URL_TO_FEED I got a jwt token.
In tfs on-prem, I navigated to the "NuGet restore" step in the build definition. At "Feeds and authentication" I selected "Feeds in my NuGet.config" and at "Credentials for feeds outside this account/collection" I clicked "Manage". In the "Add new Team Foundation Server/Team Services Connection" dialog box I selected "Token Based Authentication" and filled in the values. I put the token I got from CredentialProvider.VSS.exe in the field "Personal Access Token".
The nuget packages were restored so everything seemed good, but the next day it didn't work any longer since the token was only valid for a few hours (I decoded it to verify).
Question
How am I supposed to make this work? It seems strange to use a "Personal Access Token" since it shouldn't be related to me as a person (in case I leave the organization for example). The username for the token generated by CredentialProvider.VSS.exe was VssSessionToken which might indicate that it's not a personal token related to me, but I don't know.
The PAT (Personal Access Token) are pretty much the way to go for Azure Artifacts feeds as they are the generic to provide access to different parts of Azure DevOps.
If you are worried about the fact that they are personal it might be a solution to use a service account to generate the tokens.
If you want a PAT that has a longer lifetime it might be easier to create one yourself (see https://learn.microsoft.com/en-us/azure/devops/artifacts/nuget/nuget-exe?view=azure-devops&tabs=new-nav#add-a-feed-to-nuget-2 for instructions)
In short you will create a PAT with the 'Packaging (read)' permission, as to limit the possibility of abuse.
Two things to take into account:
PAT's always have an expiration date so you will need to keep track of that.
PAT's give access to the Azure DevOps Api as the user that created them, so make sure they are not accessible and limit the permissions as much as possible.
Related
We are facing a TFS domain migration.
As written in TFS documentation Move user accounts and service accounts the user identities will be moved with the TFSConfig Identities command.
Can I move the identity within the same domain from userA to userB?
And would this happen in a way that there are no references to userA left in TFS database?
Before the migration we will upgrade from TFS 2017.3 to TFS 2018 or Azure Devops Server 2019.
Our general domain migration happend one year ago. The TFS resides in the former domain, say OLDDOMAIN. Every user OLDDOMAIN\initials got a new account as NEWDOMAIN\name.surname.
Unfortunately some users from the new domain where added to the local administrator group of TFS not knowing that TFS will sync them and create TFS identities and without having a clue about the consequences.
The idea is to change those identities from NEWDOMAIN\name.surname to a new user NEWDOMAIN\admin.name.surname OR OLDDOMAIN\initialsAdmin so that OLDDOMAIN\initials can be moved to NEWDOMAIN\user.surname.
The Identities Command is a powerful tool, but it has certain limitations. To help ensure a successful move, make sure that you understand the following requirements:
Once a user account is present in Azure DevOps Server, it cannot be removed or have another account mapped to it. For
example, if you are moving DomainA/UserA to DomainB/UserB, the
Identities command would only work to migrate the user if
DomainB/UserB is not already present in Azure DevOps Server.
Because the members of the local Administrators group are automatically added to Azure DevOps Server, make sure to remove any
accounts that you want migrated from that group before you change the
domain or environment.
As clearly declared in the document you referred, it's not able to map/move idenfity within the same domain from userA to userB.
If you are in this boat then you are hosed already. You may have 2 users as the same people and it will not allow you to change. Sorry for any inconvenience.
Google Console has "service accounts" and service accounts can be given write permissions to files. These files can then modified without any sort of user intervention and works as long as the service account has the appropriate permissions.
Is there anything similar for Microsoft Graph? We have a file in a SharePoint folder that we would like continued access to even if the people with access to that folder continuously changes.
Azure AD has a notion of Service Principals that can be used for this purpose.
I am currently setting up TFS 2018 on premise. We also are in the process of moving to a new domain. The users are in the old domain and the new TFS is in the other domain. When I go to the TFS url, i get prompted to select my cert or user name and password. When i use username and password it works just fine. When i select my cert that my user account in the new domain has i get prompted for my pin 3 times and then it says access denied.
is there something that has to be done in IIS to allow the site to leverage certificates or will that not work and my users will have to have username and password?
This is my first time setting this up and Im not finding alot of documentation around the authentication methods for TFS mainly around smartcards. TFS is setup for windows authentication.
Generally speaking, TFS must exist in the same domain as your users, or there must be a trust relationship between the domains.
There is some documentation on the subject although it's very old.
I'm configuring a private/onprem Windows build agent (vNext) for VSTS. I need to use a PAT, but this doesn't seem great long term as the longest I can set it for is 1 year - thus in a years time it will break and require updating. Is there a more 'permanent' solution or is this the only option? The documentation suggests PAT only for VSTS.
Thanks in advance!
A colleague found the answer in the FAQ:
https://www.visualstudio.com/en-gb/docs/build/admin/agents/v2-windows
How does the agent authenticate and communicate with the TFS AT?
The agent pool administrator role is needed only when you register an agent. At that time, the agent downloads an OAUth token so that it can listen to the queue. The account that you use in this role has no bearing on future communication between the agent and the TFS AT.
When a build is run, it generates an OAuth token for the scoped identity selected on the general tab of the build definition. That token is short lived and is used to access resources on the application tier.
Most importantly "The account that you use in this role has no bearing on future communication between the agent and the TFS AT."
Based on this article (Deploy an agent on Windows), you need to choose PAT for Team Services (step 9)
You need to use a PAT.
Since most organisations require password changes on all account much more regularly than yearly the likelihood of this being a big issue are next to nill.
Note: the PST is only used to authenticate and get a secret from the server that is the used for coms. Feel free to expire the PAT after you have configured the agent.
I'm trying to create an oauth2 token for an organization. This seems to be impossible (or at least I'm not finding it). This will be used for various one of scripts (non-web use). This is also for an enterprise github (github.company.com/api/v3 vs api.github.com).
I created one under my user like this:
curl -u 'username:password' -d '{"scopes":["scripts!"],"note":"test?"}' https://github.company.com/api/v3/authorizations
and that worked as expected. What I can't figure out is the magical way to do this under an organization since an organization doesn't have basic auth credientals. I haven't been able to find any documentation that tells me how to give something a client id/secret and get an oauth token out of it, which seems like the thing I would want to do.
If anyone could help that would be much appreciated.
At the moment of this writting this is not supported
You can't create a token for the org directly, but if you have a dev account that has full access to the org, you can do this (sort of), just in a round about way.
Create the oauth token for that dev account.
When registering the token with a 3rd party (e.g. Confluence, Jira, etc...) you can specify the org as the "Team"/"Owner".
This will use the dev accounts credentials but only grant access to things under the org (not full access to the dev account's repos, etc...).
I came across your question when trying to link a github org account with my company's Jira account, so figured I'd share.
Hope that helps.
I'm pretty sure that's not possible currently. As you say -- the organization itself doesn't have any credentials associated with it. So, the only way to do it is to do it yourself, as a developer, with your credentials.
This might be a cool feature request to send to the GitHub folks.
Update: this setting is now under
Developer settings > OAuth Applications