Team Foundation Server 2015 - Allow anonymous access to Web Portal - tfs

Is it possible to allow anonymous access to the tfs web portal?
Would be nice to be able to allow users who are not logged inn to access /tfs/DefaultCollection/ProjectName/_dashboards and also preferably the information in the Work tab.
Tried adding the Everyone group in the Access levels tab. In the security tab for the collection and on the security tab for the project and also on the collection on the TFS server aswell as enabling Anonymous authentication on the IIS server but not having any luck.
Still getting a prompt to log on when trying to navigate to the dashboard and if I cancel that I get this error:
Error
The page you are looking for is currently unavailable.
TF400813: Resource not available for anonymous access. Client authentication required.
More information about this error
TF400813: Resource not available for anonymous access. Client authentication required.
Is it possible to fix this?

No, TFS does not support anonymous access for now. Refer to the Q&A in this blog for details: https://blogs.msdn.microsoft.com/bharry/2015/02/23/vs-2015-ctp6-and-tfs-2015-ctp1-shipped-today/
bharry
#Karl, we don't currently have anonymous access in TFS 2015 but it's
been a hot topic lately. We're looking at how we could get it done
before too long.

I have not checked but do not think it is possible to day.
While you can go to IIS and enable Anonymous, TFS is designed in a way that each call to the server is tied to user previously authenticated.
I will not be surprised of a change in the future, because it is a limit for the service offered in VSTS; in fact you can only have private projects in today's VSTS. If this limitation is lifted in VSTS, we will get it for free in TFS.

Related

TFS 2018 fails to use smartcards

I am currently setting up TFS 2018 on premise. We also are in the process of moving to a new domain. The users are in the old domain and the new TFS is in the other domain. When I go to the TFS url, i get prompted to select my cert or user name and password. When i use username and password it works just fine. When i select my cert that my user account in the new domain has i get prompted for my pin 3 times and then it says access denied.
is there something that has to be done in IIS to allow the site to leverage certificates or will that not work and my users will have to have username and password?
This is my first time setting this up and Im not finding alot of documentation around the authentication methods for TFS mainly around smartcards. TFS is setup for windows authentication.
Generally speaking, TFS must exist in the same domain as your users, or there must be a trust relationship between the domains.
There is some documentation on the subject although it's very old.

Access TFS in another domain

I need to access TFS outside the domain. I thought that I can publish the TFS through WAP, but it seems that TFS does not support the authentication used by ADFS. Any other idea on how to do this? Thanks.
TFS does not support ADFS, there is a user voice here, you can go and vote it up or summit a new user voice to achieve it in future.
However, to access TFS outside the domain you can try below items:
Try to provide access to TFS over a virtual private network (VPN).
Try to provide access to TFS through a reverse proxy such as Microsoft Internet Security and Acceleration (ISA) Server.
Try to host your TFS server on an extranet.
You can reference this article : Providing Internet Access to Team Foundation Server
Besides, you can use Visual Studio Online, connecting remotely is a good option. And if you are doing any cloud work it integrates nicely.
This link (http://msdn.microsoft.com/en-us/library/ms252507(v=vs.100).aspx) from Microsoft describes various domain \ work group combos for your reference.

My Visual Studio work items show Microsoft Services in the potential assignee list

How do I remove these strange services from the list of available assignees?
I have got the same result as you. Not sure it's by designed or a bug due to recent escalation of VSTS.
You could submit a Bug in this place Develop Community-Team Services and will get quick response by develop team.
For now as a workaround, you could do the assign to option of the work item in the web. It works well without those annoying Microsoft services.
This is an expected behavior. Refer to this link for details: Unexpected entries appear in "Assigned To" list in Team Explorer when connecting to a VSTS team project.
Posted by Sean [MSFT] on 7/15/2016 at 7:10 AM
This is as designed for VSTS if you are connecting from VS. The reason
you don't see the identities from Web Access when searching is because
the data source is different. It's connecting to our identity service
which can filter down results to only the identities which are users.
You can still manually type in one of those identities above and the
work item will save fine.
The VS client uses can only use local metadata, which means it doesn't
have the extra information that the identity service has for
determining if it should show a user or not in the picker.
I'm sorry for the confusion, and hope this feedback is helpful.

Is there a way to limit the verbs allowed by the TFS 2015 REST API?

Is it possible to allow only GET requests via the TFS 2015 REST API but still allow normal functionality through the Web interface and via Visual Studio?
More information:
Authentication and authorization are via Active Directory accounts, but we want to limit the operations that can be performed via the REST API only to retrieving, not changing, TFS data. A vendor has requested that we expose the REST API over the Internet, but management is reluctant unless it can be limited in this way. It may very well not be possible -- at least, my research has so far failed to turn up a solution -- but I want the opinions of people more experienced with TFS than myself.
No, this can't be achieved for Rest API. Seems you are searching for some settings or api just like a private permission only work for rest api and not effect web portal or visual studio.
Unless forbidden the related permissions of all area in TFS such as Tore suggested. For example: If the user can't change things through rest api and he should also can't do the same operation in web portal and VS.
The permissions are the same whether you connect through Visual Studio, the web interface, the REST API or any other client. So if the user is only part of the READERS group it can only retrieve whereas being a member of the CONTRIBUTORS group will allow you to change things.

Need to restrict TFS users by IP

We have 2 subnets (VLAN1 and VLAN2). TFS is installed on server with both network interfaces .
Domain controller is up for all subnets.
VLAN1 is main office with many computers (and users). VLAN2 in highly secured area for developers only.
VLAN1 users use TFS for posting bugs, viewing progress etc. VLAN2 users use it at full.
The problem is - to restrict access to sources from VLAN1 even for developer user accounts.
Denying access to TFS from VLAN1 for developer users - is valid answer too, but i do not know how((
Any ideas??
EDIT - From comment to answer from #Robaticus
The point is to restrict reading sources from outside.
If you block (at the network) port 8080 (the default), users won't have access to TFS through Team Explorer, only through the website at port 8090 (also the default).
Valid users would still be able to view source through the web portal, but would not be able to update it.
EDIT
Based on the requirement to restrict reading of sources from people outside, if you first do what was mentioned above (blocking 8080), you could always secure the directories for the source control under Team System Web Access. This might be a little ugly (giving 401 errors), but it might work.
It looks like the directory that would need to be secured is under the website:
Team System Web Access->UI->Pages->Scc
This would remove source code browsing from the Web UI for everyone, though. In my opinion, that wouldn't be a real problem, as this function likely gets used only rarely.

Resources