I am currently setting up TFS 2018 on premise. We also are in the process of moving to a new domain. The users are in the old domain and the new TFS is in the other domain. When I go to the TFS url, i get prompted to select my cert or user name and password. When i use username and password it works just fine. When i select my cert that my user account in the new domain has i get prompted for my pin 3 times and then it says access denied.
is there something that has to be done in IIS to allow the site to leverage certificates or will that not work and my users will have to have username and password?
This is my first time setting this up and Im not finding alot of documentation around the authentication methods for TFS mainly around smartcards. TFS is setup for windows authentication.
Generally speaking, TFS must exist in the same domain as your users, or there must be a trust relationship between the domains.
There is some documentation on the subject although it's very old.
Related
We are facing a TFS domain migration.
As written in TFS documentation Move user accounts and service accounts the user identities will be moved with the TFSConfig Identities command.
Can I move the identity within the same domain from userA to userB?
And would this happen in a way that there are no references to userA left in TFS database?
Before the migration we will upgrade from TFS 2017.3 to TFS 2018 or Azure Devops Server 2019.
Our general domain migration happend one year ago. The TFS resides in the former domain, say OLDDOMAIN. Every user OLDDOMAIN\initials got a new account as NEWDOMAIN\name.surname.
Unfortunately some users from the new domain where added to the local administrator group of TFS not knowing that TFS will sync them and create TFS identities and without having a clue about the consequences.
The idea is to change those identities from NEWDOMAIN\name.surname to a new user NEWDOMAIN\admin.name.surname OR OLDDOMAIN\initialsAdmin so that OLDDOMAIN\initials can be moved to NEWDOMAIN\user.surname.
The Identities Command is a powerful tool, but it has certain limitations. To help ensure a successful move, make sure that you understand the following requirements:
Once a user account is present in Azure DevOps Server, it cannot be removed or have another account mapped to it. For
example, if you are moving DomainA/UserA to DomainB/UserB, the
Identities command would only work to migrate the user if
DomainB/UserB is not already present in Azure DevOps Server.
Because the members of the local Administrators group are automatically added to Azure DevOps Server, make sure to remove any
accounts that you want migrated from that group before you change the
domain or environment.
As clearly declared in the document you referred, it's not able to map/move idenfity within the same domain from userA to userB.
If you are in this boat then you are hosed already. You may have 2 users as the same people and it will not allow you to change. Sorry for any inconvenience.
What is the benefit of implementing Active Directory based Security to servers like Jenkins?
The only benefit I can think is the admin of the sever does not need to add/remove users because user can login themselves using AD credential.
But In my case I do not want to have the whole company access my server. the server is only used by my team. How can I disable the whole company from login in. (case1)
Besides, I want to grant different permissions to different members in my team. The new members get less permission, the experienced team members get more permissions. I believe this is very common. But using Active Directory based Security looks like they get the same permission because they are in the same groups (case2)
So why should I use Active Directory based Security? Can I resolve the above two cases in a server configured with Active Directory based Security?
Some corporate environments make this a security requirement. In said environments they usually have an internal request system where users can request they have their credentials added to an appropriate group for access to Jenkins. This is better than Jenkins own database and having them email you, the Jenkins administrator.
Once AD Authentication is configured in Jenkins and appropriate groups created in AD you can do a one-time setup of those groups with the Role-Based Strategy plugin in Jenkins and define what those groups have authorization to do.
Plan your groups well and it is a function that you will no longer have to worry about.
Warning: Be very careful when switching over from Jenkins own database user authentication to AD authentication. If you don't get the BindDN details just right you can get locked out.
Is there a way for our development team to point Visual Studio at an instance of TFS on another domain?
Pretty green when it comes to Team Foundation Server and not sure if this should go in the overflow that handles IT admin stuff (from my understanding stackoverflow is more code related).
We just got bought by another company and they want us to use their TFS that resides on their domain. We are working on getting to one domain, but in the mean time we still have two separate domains that talk enough to get by.
Just as Daniel said, just make sure there is a trust relationship between the domains.
Generally if you can access the TFS that resides on another domain with you current domain user, then everything should be OK.
More information please see Trusts and Forests Considerations for Team Foundation Server and Grant the Allowed to Authenticate permission on computers in the trusting domain or forest for details.
You can also reference this related thread : TFS Cross-domain authentication without trust
I install thingsboard on windows10 I used this site"https://thingsboard.io/docs/user-guide/install/windows/"to install.
I want do this project "https://www.hackster.io/thingsboard/temperature-dashboard-using-arduino-uno-esp8266-and-mqtt-5e26eb"
after install complete when login http://localhost:8080 with
login: sysadmin#thingsboard.org password: sysadmin i want add devise but there is not “Devices” section.
I had the same problems. It appears the getting started tutorial misses a few steps.
First try creating a new Tenant, then create a new user. You should then see the missing sections appear!
In order to have a device you must have a tenant to link it to. I'm learning as you are.
(If you attempt the OPC Connection) When you have gotten past this point yet you will also see that there are certificate errors if you will try to connect to the KepServerEX demo as mentioned in the getting started tutorial. I changed the time on my computer, since the certificate is expired as of this month, a date that has already passed (I don't recall exactly when).
Once you get past that small hurdle you will find another problem with the demo configuration, as explained here: https://github.com/thingsboard/thingsboard-gateway/issues/30
All dashboards and customers in Thingsboard are tied to a Tenant. Thingsboard support multiple Tenants. When you are logged in as system administrator, Thingsboard can't know which of the tenants to show, so no dashboards or customers are shown.
The system administrator account is for system administration tasks, not for dashboard or customer tasks. If you want to manage dashboards or customers, login as the Tenant or Customer you want to manage.
You should try with different user:
username: tenant#thingsboard.org
password: tenant
pretty much mentioned in the doc!!!
Is it possible to allow anonymous access to the tfs web portal?
Would be nice to be able to allow users who are not logged inn to access /tfs/DefaultCollection/ProjectName/_dashboards and also preferably the information in the Work tab.
Tried adding the Everyone group in the Access levels tab. In the security tab for the collection and on the security tab for the project and also on the collection on the TFS server aswell as enabling Anonymous authentication on the IIS server but not having any luck.
Still getting a prompt to log on when trying to navigate to the dashboard and if I cancel that I get this error:
Error
The page you are looking for is currently unavailable.
TF400813: Resource not available for anonymous access. Client authentication required.
More information about this error
TF400813: Resource not available for anonymous access. Client authentication required.
Is it possible to fix this?
No, TFS does not support anonymous access for now. Refer to the Q&A in this blog for details: https://blogs.msdn.microsoft.com/bharry/2015/02/23/vs-2015-ctp6-and-tfs-2015-ctp1-shipped-today/
bharry
#Karl, we don't currently have anonymous access in TFS 2015 but it's
been a hot topic lately. We're looking at how we could get it done
before too long.
I have not checked but do not think it is possible to day.
While you can go to IIS and enable Anonymous, TFS is designed in a way that each call to the server is tied to user previously authenticated.
I will not be surprised of a change in the future, because it is a limit for the service offered in VSTS; in fact you can only have private projects in today's VSTS. If this limitation is lifted in VSTS, we will get it for free in TFS.