I need to set up Kerberos authentication for TFS 2013. Is there any document that gives me steps to configure it? I have looked at the below mentioned links
http://blogs.like10.com/2012/05/09/using-friendly-dns-names-in-your-tfs-environment-with-kerberos-authentication-part-1/
http://blogs.like10.com/2012/06/21/using-friendly-dns-names-in-your-tfs-environment-with-kerberos-authentication-part-2/
My TFS still takes NTLM auth type every time. I would really appreciate if someone could send me links on how to configure Kerberos on Windows 7
Kerberos is not a TFS capability but one of active directory. If you are able to get a nervous token on the TFS accounts with the delegated URL so in your SPN, then you only need to switch TFS over.
You might find the option in the console but i am getting that It is a setup option.
Run "tfsconfig.exe setup /uninstall:all" to undo your current configuration. Then when configuring select "advanced" and you should get an option for ntlm/kerberos.
Related
I am trying to access the TFS server of Codeplex thru a proxy that requires authentication and all I get is a 407.
I can navigate using the VS2010 browser and get Nuget packages so I know that the proxy is correctly configured but whenever I try to add the new TFS server I get a 407.
Any ideas?
I found the answer (even when I do not get why it is so difficult):
http://blogs.msdn.com/b/rido/archive/2010/05/06/how-to-connect-to-tfs-through-authenticated-web-proxy.aspx
Hope it helps to somebody
I have setup a secure(Kerberos) Oozie environment in CentOS 6.3 using CDH 4.1.2. I am able to view the Oozie web console from CentOS machine which is hosted in server. But is there a way to view the webconsole from my local Windows machine.
I have tried creating a HTTP principal with my windows machine as hostname. I am able to get a valid ticket for HTTP principal. But when I open the Oozie Web Console, I get the following error
org.apache.hadoop.security.authentication.client.AuthenticationException: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
Am I missing something. Help me guys.
Thanks,
Vishnu Ganth
This error occurs because your browser sends request for NTLM authentication instead of kerberos.
In internet explorer follow below steps,
go to Internet Options
In security tab, select Local intranet.
Click Custom Level in the below, Make sure Automatic logon only in intranet zone under the User Authentication section.
In the Internet Options, select Advanced tab and make sure enable Integrated Windows Authentication selected under security section.
Once the above steps done, it will work on both internet explorer and google chrome.
If you are accesing it from the Cross realm, your widows-based clients should know the KDC location to create proper SPNEGO token. You need either create a separate policy in your AD for that type of users or you can manually from command line add mappings in client machine's registeries so that they would know about your Hadoop realm KDC:
ksetup /addkdc HADOOP.DOMAIN.COM hadoop.nodewithkdc.com
ksetup /addhosttorealmmap hadoop.nodewithkdc.com HADOOP.DOMAIN.COM
I've been happily using Team Foundation Server with Visual Studio 2010 for the last couple of months at my current place of work when it has suddenly stopped working. I get the following errors:
If I browse to the wiki (Sharepoint) on the TFS server it works fine in Firefox but in Internet Explorer it fails with:
No authority could be contacted for authentication.
I'm not aware of any changes to the server or my machine that would cause the errors and other users of TFS are not affected.
The TFS server is on a different domain to my machine, but usually I get prompted to login and using a domain prefixed username works. At the moment, I don't even get a login prompt anymore.
How do I fix this?
I have recently started to experience a similar issue. We also host TFS on a different domain. Twice in the last week TFS has stopped authenticating users, and I have received messages similar to above. I have no idea what is causing this, but on each occasion SQL Server Agent service was stopped. A reboot of the server and a manual restart of SQL Server agent seems to fix the problem temporarily. I'm not sure if this information is helpful, but I would also really appreciate any help in getting to the bottom of this.
We used a workaround to get past this problem. We configured an entry in the Windows Stored User Names and Passwords tool for the domain of the TFS server. It got around the problem of TFS not prompting for credentials by explicitly supplying them via this tool.
When you change your password for that domain account, you must also change the password here otherwise your account can be locked after failing authentication too many times.
I had the same problem, sorted it by upgrading to tfs2012
In my case, I changed the default port 8080 to port 80 and everything worked fine. but the message could also happen due to wrong saved credentials. you can go to the control panel of the windows and search for credentials manager and then remove your TFS credentials.
I'm currently 'playing' with Plastic and their (brand new) TeamCity integration plugin.
The plugin blurb says "When installing Team City on Windows systems, it normally uses the SYSTEM user account. We recommend changing the user that executes the Team City application."
The thing is, I can't work out what kind of user I should substitute: I would like to be able to access Plastic (on the server) using AD, but wouldn't that mean that TeamCity would also have to run with a network user in order to be able to access Plastic?
An alternative (for me accessing Plastic) would be user/password - but I can't make the TeamCity service run with user/password.
Am I missing something obvious, or is the paint just too wet?
I'm also using PlasticSCM and the Team city plugin, this is my configuration:
For the server: configure your PlasticSCM server with LDAP authentification and select "Active Directory" as the server type.
For the client: configure your PlasticSCM client with LDAP authentification, use your credentials and try the "Test connection" button.
The client setup will generate a "client.conf" file at "C:\Users\your_user\AppData\Local\plastic". This file is used by PlasticSCM client to authenticate with the PlasticSCM server.
So, if your TeamCity service is running with the administrator account you have to place this file in your Administrator "...\AppData\Local\plastic" directory. If you change your TeamCity service to be run with your system account you don't need to do anything, the file is in the right place.
You have another option (if you are still running the TeamCity plugin as Admin), place the "client.conf" file where your "cm.exe" file is. Because the "cm.exe" is going to try to find this file first on its own location and then in the current user "AppData\Local\plastic" directory. This option is only valid if you are the only user working with PlasticSCM in the machine.
Hope it helps!
Scenario:
I set up successfully TFS2010 webdeploy task for solution. Everything worked fine until suddendly something went wrong in the deployment task.
Solution has 2 web projects..those are configured to deploy on build and publish it to the dev-server.
Does anybody have a knowledge what is wrong in build (information below)?
C:\Program Files (x86)\MSBuild\Microsoft\VisualStudio\v10.0\Web\Microsoft.Web.Publishing.targets
(3847): Web deployment task failed.
((4.8.2011 11:01:10) An error occurred when the request was processed on the remote computer.)
(4.8.2011 11:01:10) An error occurred when the request was processed on the remote computer. Unable to perform the operation. Please contact your server administrator to check authorization and delegation settings.
I can give more information if someone needs it.
I encountered the same issue when building via TFS. When I tried to manually import the website I got a more informative error: "not able to log on the user \WDeployConfigWriter".
Turns out that when you install web deploy it sets up two local accounts WDeployConfigWriter and WDeployAdmin. The passwords on these accounts are set to expire. So reset the passwords on the web server and set to "never expire". Then go to Management Service Delegation in IIS. Each of the presented rules has a UserName field. Where it is WDeployAdmin or WDeployConfigWriter right click and update the credentials to the new passwords.
A full explanation with screenshots can be found here: http://workinghardinit.wordpress.com/2011/07/18/wdeployconfigwriter-account-issues-trouble-shooting-web-deploy-2-0-with-lessons-learned/
All you have to do is re-run the script "AddDelegationRules.ps1" located in "C:\Program Files\IIS\Microsoft Web Deploy V3\Scripts\"
This is the script that is run when web deploy is first installed. It will re-create any missing delegations, re-set the passwords for both WebDeployAdmin and WebDeployConfigWriter, and add WebDeployAdmin back to the Administrators group.
You would still need to set the password on each account not to expire after re-running the script.
We had the same issue-- in our case we are only using MSDeploy (without TFS). Resetting the password for those 2 local accounts (WDeployConfigWriter and WDeployAdmin) solved the problem as their passwords had expired. We attempted to change the password policy to never expire, but only a local Administrator can do that.
run this command lusrmgr.msc
double click on user and
double click the account name, and tick "password never expires".
Done.
In my case it was a botched install of Web Deploy.
Uninstalling then re-installing Web Deploy fixed it for me -- Repairing didn't help.