I need to access TFS outside the domain. I thought that I can publish the TFS through WAP, but it seems that TFS does not support the authentication used by ADFS. Any other idea on how to do this? Thanks.
TFS does not support ADFS, there is a user voice here, you can go and vote it up or summit a new user voice to achieve it in future.
However, to access TFS outside the domain you can try below items:
Try to provide access to TFS over a virtual private network (VPN).
Try to provide access to TFS through a reverse proxy such as Microsoft Internet Security and Acceleration (ISA) Server.
Try to host your TFS server on an extranet.
You can reference this article : Providing Internet Access to Team Foundation Server
Besides, you can use Visual Studio Online, connecting remotely is a good option. And if you are doing any cloud work it integrates nicely.
This link (http://msdn.microsoft.com/en-us/library/ms252507(v=vs.100).aspx) from Microsoft describes various domain \ work group combos for your reference.
Related
I want to call the TFS Rest API
https://www.visualstudio.com/en-us/docs/integrate/get-started/rest/basics#tfs
from an application that isn't on-premise with that instance of TFS (it'll be in Azure to be specific). Is that possible? Anything special needed to configure a cloud service to call on-premise?
Yes, it is possible, you need to make sure your TFS can be accessible from cloud or another server.
There is an article about providing internet access to TFS that can help you.
Is it possible to allow only GET requests via the TFS 2015 REST API but still allow normal functionality through the Web interface and via Visual Studio?
More information:
Authentication and authorization are via Active Directory accounts, but we want to limit the operations that can be performed via the REST API only to retrieving, not changing, TFS data. A vendor has requested that we expose the REST API over the Internet, but management is reluctant unless it can be limited in this way. It may very well not be possible -- at least, my research has so far failed to turn up a solution -- but I want the opinions of people more experienced with TFS than myself.
No, this can't be achieved for Rest API. Seems you are searching for some settings or api just like a private permission only work for rest api and not effect web portal or visual studio.
Unless forbidden the related permissions of all area in TFS such as Tore suggested. For example: If the user can't change things through rest api and he should also can't do the same operation in web portal and VS.
The permissions are the same whether you connect through Visual Studio, the web interface, the REST API or any other client. So if the user is only part of the READERS group it can only retrieve whereas being a member of the CONTRIBUTORS group will allow you to change things.
I have a TFS express configured on my windows server. Is it possible to invite a remote user on his email address, so that he can connect to the server and access project collections? I had been through few similar SO posts, and tried to explore almost all parts of the admin panel, but could't found such feature.
(I know this is available in case of visualstudio.com, but I need to invite a remote user to my locally hosted TFS).
Question:
- Is it even possible to allow remote user to access my TFS?
- If so, how to authenticate him?
Other Info: TFS is perfectly configured, and is accessible remotely as http://xyz:8080/tfs
No this is not possible. When TFS is installed on-premise it reads its users from the Windows Active directory and/or local Windows Server users.
When TFS is configured to be accessible remotely, like you say using an externally visible domain name, you need to register a Windows user either in Active Directory (preferred) or locally on the server.
To make your life easier, consider employing Visual Studio Team Services, the cloud service based offering that offers mostly the same services TFS does. It also provides 5 free users, doesn't need to be installed and maintained on a Windows Server, doesn't cost you a Windows Server license and allows you to invite people using their Microsoft Account/Windows Live ID.
We use LDAP security for our TFS internally, but we have a few vendors who we would like to give web access to for viewing, creating or updating work items.
Can anyone recommend a good approach to accomplish this without moving our TFS host to an external location?
You will have to open your TFS externally and create user accounts for the vendors.
A couple of references to expose your TFS to the internet:
http://msdn.microsoft.com/en-us/library/bb668967.aspx
http://www.christiano.ch/wordpress/2010/05/01/microsoft-team-foundation-server-2010-and-external-access-fqdn/
I'm currently tasked with setting up a TFS server for a client. The TFS will mainly be accessed by local (on-site) users through the internal network... Easy!
But what about the few remote users we have? Should they connect via VPN or is it better to make the TFS server public and have the users connect over SSL and provide username and password to the TFS?
Do you have any suggestions on how these solutions will perform compared to each other?
VPN is the way to go if you want the optimal TFS experience with TFS 2005 or TFS 2008. While TFS mainly uses web service based protocols that can all go over SSL, there are a few small things that will not work unless you have proper network access. For example:
Viewing the Build Log (unless worked around)
Access Team Build drops
Publishing Test Results
As well as a few other little niggles. Going the VPN route will also mean that your TFS installation will vary less from a standard base TFS installation which gives you some peace of mind that you won't run into any problems when it comes to upgrading to a new version, applying service packs etc. (or at least any problems you run into will have been run into by many before :-) ). Going the SSL route you are treading a less worn path - though obviously plenty of people do run it that way including CodePlex and all the commercial companies that provide a hosted TFS installation.
The downside of VPN is that usually you are granting users to an entire section of your network (unless you are running TFS in it's own mini private network or something). If you go down the SSL route then be sure to properly test the new team projects as this is easy to break and you might not realise until you try and create one either inside or outside the network.
For additional information, see Chapter 17 of the TFS Guide.
I'd start with a few questions: does the client have a VPN? And are the remote consumers on this VPN already? How secure does this need to be?
(In our case, we have lots of outside vendors we don't want on our VPN, so our source control is publicly accessible with SSL)
When I did it, I used a VPN. Was easier to setup, and made sure that no-one could even see the machine with out being authenticated via the VPN - this was obviously way better from a security standpoint, which trumped any performance benefit we would have got from using SSL, if there even was one...
My previous experience with TFS was in an environment where we had a team of developers staffed out at client sites all over the city. In many situations we still accessed our TFS instance instead of something at the client site. We used SSL with public access to TFS. It worked very well for us.