I'm trying to use the Jenkins TFS Plugin and have trouble authenticating. I saw that user on the TFS administration, and gave it permissions on my project.
I've created a local user account (via Local Users and Groups) - TfsServer\TfsUserAdmin, and I'm trying to use it to authenticate against the TFS server.
I able able to use the name and password of the user. For example this works (though it prints an empty list):
tf workspaces -format:brief -server:http://TfsServer:8080/tfs/Redacted_Collection -login:TfsServer\TfsUserAdmin,RedactedPassword
If I change the password on the above command I get an error, so authentication does work.
The next command is:
tf workspace -new "RedactedWorkspaceName;" -noprompt -server:http://TfsServer:8080/tfs/Redacted_Collection -login:TfsServer\TfsUserAdmin,RedactedPassword
This fails with the error:
TF14045: The identity TfsServer\TfsUserAdmin is not a recognized identity.
I don't think I can change these commands, they are created by the plugin.
I've found people with similar errors, but none of them had the user name at the error - only a GUID or the server name.
Can I work with TFS and a local user?
You will likely need to use Shadow Accounts to get your Jenkins server to talk to TFS...
Create a local user on both your TFS server and your Jenkins server with the same Username & Passowrd. Then use that account to authenticate.
This is the only way to get cross domain coms working without trust and is a feature of Windows & AD. If your org has disabled it you will need to look at creating a trust relationship between your domains.
Related
I am creating a build envirnoment and freshly installed jenkins with ActiveDirectory/LDAP auth.
We will have external users which should not be able to login to our domain computers but they should have access to jenkins/jira/... in order to develop with us (perhaps vpn for accessing some dev backends).
So for these users in active directory I set a dummy host they are able to logon (which means no computer at all). Jira/Confluence and dav_svn have no problem with this but it seems jenkins checks this property and refuses the access.
Can anybody tell me what "host" I have to put in there so that jenkins accepts a logon of these users? Or if I have to set a hidden config value in jenkins?
The users to accept are all in a special developer group. If I could simply pass the name of the group but even this does not help (matrix based): the user cannot login.
Thanks ver much!
Aurel
I'm hosting a project on my Jenkins server. That project has a GitHub repo and I have it set up so it automatically builds new commits. In order for that to work, I need to input credentials for a github account that has full access to the repo.
The problem is, that if I want him to add his login info to the credentials list, I'd have to give him acces to all credentials on the server (I don't want that).
I tried using the credentials under "{username}" > "Credentials", but those didn't show up in the project setup (even with 100% access to everything on the server).
Is there a way for the user to store his credentials and use them for the project without giving him full access to all credentials on the server?
Add the user's credentials under Global security and then allow project based Matrix Authorization Strategy per project as shown:
I found the answer in this mailing list entry:
In short: You need to
install and activate the Authorize Projects Plugin,
enable "run as specific user" strategy in global security settings,
enable this for the project in question.
This allows you to use the credentials for this specific user.
Enabling ssh-agent is the final step to make this work conveniently.
I've installed opshub on my pc that is on domain ABC. I have succesfully migrated projects from a TFS server on domain ABC to visual studio online. Now I've added a TFS server that is in domain DEF and it doesn't ask me for credentials for that server. I just get a blank collection list, I think its trying to use my current credentials from domain ABC. How can I get it to ask me for the credentials to domain DEF when trying to access that server?
User level authentication details are stored inside Team Foundation cache directory under following locations. If you have already authenticated for the TFS server then details for that server is stored inside cache directory. This won't ask you credentials again while you are doing next migration.
If you want to authenticate with the new credentials for different domain you need to clear data from the following directories.
C:\Users{User}\AppData\Local\Microsoft\Team Foundation\4.0\Cache
C:\Users{User}\AppData\Local\Microsoft\Team Foundation\5.0\Cache
Make sure original folders remains there (Cache). Just remove contents of those directories. Also make sure you close all the applications which uses TFS cache like visual studio, opshub migration utility.
See http://blogs.msdn.com/b/visualstudioalm/archive/2012/08/29/clearing-the-credentials-for-connecting-to-a-team-foundation-server.aspx for correct answer. It worked for me.
I have a prod domain and a test domain, unfortunately in the only part I can install TFS ins a virtual machine in the test domain.
The question is, as developers, can we still access the tfs for source control? As far as I know it will use the windows credentials when connecting and those credentials wont exist in the test environment.
What can you suggest?
Yes, Team Explorer clients will try to authenticate with the default Windows credentials to the TFS server. If you're on different domains (and there's no trust relationship between them) then this authentication will fail and you'll be prompted to enter your username/password for the TFS server.
If you don't wish to be prompted each time, you can set up credentials for the server in the Windows Credential Manager in your Control Panel.
How can I add AD users to TFS users from a computer that can't connect to AD/domain? Structure is like this:
TFS Server, in AD/domain
My computer, wtih VS.NET, can't join to AD/domain
Only way to ad AD users to TFS users list I could find is in VS.NET->Team->Team Foundation Server Settings->Security->Add users or groups->Windows user or group. Since my computer can't join to AD I can't see the AD in Locations list. Is there a way to do this without installing VS.NET to the server?
You can do this at the command line (Visual Studio Command line is easiest):
tfssecurity /g+ <tfsgroupidentifier> <user or group identifier> /collection:http://server:8080/tfs/collectionname
example:
tfssecurity /g+ "Scrum Project\Readers" "Contoso\CEO" /collection:http://contoso:8080/tfs/Default
WORKAROUND:
Here is a solution for adding users to TFS 2010 when your development machine doesn't have access to the remote domain.
Create the user on the server if you haven't already done so and Add the user to the ProjectTeam group.
Then on your local machine that isn't tied to the domain, simply create a user with the same username.
Right-Click on your project in Team Explorer and choose "Team Project Settings" --> "Group Membership..."
Click on the group you want to add the user to, and press the "Properties" button.
Select "Windows User or Group" and click "Add"...then just type in the username (you shouldn't need to specify the domain) - even if it initially identifies your current computer/domain...it should automatically change it to the remote domain.
Then you can delete that username from your local computer.
I spent about 4 hours trying to add a user for a remote domain before getting this to work.
Microsoft really should have thought about this scenario for remote developers, TFS running on remotely hosted servers and so on.
I hope that helps.
If you do decide you are ok with doing this from the TFS server, you don't need to install the whole Visual Studio 2008 client. Instead, just install the team explorer client. It will install the Visual Studio shell, along with the TFS tools, but no development language pieces.
I have this very same problem. The only way I have found to solve this is to have a computer that I can RDP to within the domain and add the user from there.
Its not pretty, but it works....
p.s. As long as you have permission on the domain, you could write a tool to do this.